Preventing Immediate Authentication to Azure AD When Disabling User Accounts in Active Directory

Configuring Pass-Through Authentication

Question

Note: This question is part of a series of questions that present the same scenario.

Each question in the series contains a unique solution that might meet the stated goals.

Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it.

As a result, these questions will not appear in the review screen.

You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant.

You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.

You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.

Solution: You configure pass-through authentication.

Does this meet the goal?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

A.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

The solution proposed in the scenario, which is to configure pass-through authentication, will not meet the stated goal of immediately preventing a disabled user from authenticating to Azure AD.

Pass-through authentication is a feature in Azure AD Connect that allows users to sign in to Azure AD using their Active Directory credentials, without the need for passwords to be stored in the cloud. With pass-through authentication, authentication requests are forwarded from Azure AD to Active Directory Domain Services (AD DS) for validation.

However, pass-through authentication does not control or enforce account lockout or password policies. It only allows users to authenticate with their Active Directory credentials. Therefore, configuring pass-through authentication will not prevent a disabled user account from authenticating to Azure AD for up to 30 minutes.

To achieve the goal of immediately preventing a disabled user account from authenticating to Azure AD, you need to configure Azure AD Connect to use Password Hash Synchronization or Federation Authentication. These authentication methods will immediately block a disabled user account from authenticating to Azure AD.

Therefore, the answer to the question is B. No, configuring pass-through authentication will not meet the goal of immediately preventing a disabled user from authenticating to Azure AD.