I'm curious about the design implications of Hybrid Identity Pass-Through Authentication (PTA) happening over the internet. Isn't it concerning from both a security and performance standpoint? I'd appreciate advice on how to explain this to enterprise management teams.
3 Answers
If you're really worried about security with PTA, consider switching to Password Hash Sync (PHS) instead. It allows logins to authenticate directly with Entra without routing through on-premises AD. Just be aware that if your on-premises servers go down, so do user logins to cloud services since the credentials rely on those servers.
When using PTA, remember that it operates over a secure TLS connection. The PTA agents create outbound connections to your tenant and extract authentication requests from your tenant's endpoints. Your AD environment isn’t exposed to the internet or the cloud.
Isn't it a bit overblown to worry about PTA since you're already accessing cloud services like M365? The real concern lies in the data access itself, not just the authentication happening online. It's something to think about!
True, almost all internet traffic is encrypted with TLS these days. While there's a risk of compromise depending on the TLS server's private key, we generally accept these risks for the sake of ease and performance.
Exactly! Go for PHS instead of PTA to prevent any unnecessary complications.