--- title: Pass-through auth (PTA) with Microsoft Entra ID (Azure AD) description: "Estimated time to complete: 30 minutes" component: pingoneaic page_id: pingoneaic:use-cases:use-case-pass-through-auth canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-pass-through-auth.html keywords: ["Authentication", "Implementation Guide", "Use Case"] page_aliases: ["implementation:use-case-passthrough-authentication.adoc"] section_ids: passthrough-authentication-description: Description passthrough-authentication-goals: Goals passthrough-authentication-prereqs: Prerequisites passthrough-authentication-tasks: Tasks passthrough-authentication-task-1: "Task 1: Sign on to Microsoft Entra ID as the test user" passthrough-authentication-task-2: "Task 2: Confirm the test user account in Advanced Identity Cloud" passthrough-authentication-task-3: "Task 3: Create a pass-through authentication journey" passthrough-authentication-task-4: "Task 4: Adjust node settings for the journey" passthrough-authentication-task-5: "Task 5: Adjust password policy settings" passthrough-authentication-task-6: "Task 6: Allow public client flows in Microsoft Entra ID" passthrough-authentication-validation: Validation passthrough-authentication-validation-steps: Steps default_login_before: Default login before pass_through_authentication: Pass-through authentication default_login_after: Default login after passthrough-authentication-video-validation: Video of validation passthrough-authentication-explore-further: Explore further passthrough-authentication-reference-material: Reference material passthrough-authentication-nodes-used: Nodes used --- # Pass-through auth (PTA) with Microsoft Entra ID (Azure AD) ## Description Estimated time to complete: 30 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)* In this use case, you enable pass-through authentication (PTA) to Microsoft Entra ID (formerly Azure AD) and let Advanced Identity Cloud capture the Microsoft Entra ID password for future logins. ### Goals In completing this use case, you will learn how to do the following: * Use the Advanced Identity Cloud admin console * Create an authentication journey enabling pass-through authentication for Microsoft Entra ID users provisioned to Advanced Identity Cloud * Capture passwords on successful pass-through authentication ## Prerequisites Before you start work on this use case, make sure you have: * A basic understanding of: * The Advanced Identity Cloud admin console * Journeys * Nodes * Pass-through authentication * Completed the use case to [Provision users from Microsoft Entra](use-case-provision-from-entra-id.html) * A test user in Microsoft Entra ID and provisioned in Advanced Identity Cloud with the password to sign on as the test user * Access to your Advanced Identity Cloud development environment as an administrator * Access to your Microsoft Entra ID tenant environment as an administrator ## Tasks ### Task 1: Sign on to Microsoft Entra ID as the test user This confirms you have the test user credentials and the test user is active in Microsoft Entra ID: 1. Browse to the sign-on page for [Microsoft Azure](https://portal.azure.com). 2. Sign on as the test user. 3. If this is the first time the test user signed on, update the password and record the new password for pass-through authentication. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Do not enable multi-factor authentication for the test user.For this use case, the test user must be able to authenticate with only a username and password. | ### Task 2: Confirm the test user account in Advanced Identity Cloud 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Application > Identities > Manage. 3. Find the Advanced Identity Cloud test user in the list. If the test user doesn't have a Advanced Identity Cloud account yet, [provision the account from Microsoft Entra ID](use-case-provision-from-entra-id.html). Check in At this point, you have: | | | | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Signed on as the test user](#passthrough-authentication-task-1) and recorded the credentials. | [icon: check, set=fa][Confirmed the test user](#passthrough-authentication-task-2) is provisioned in Advanced Identity Cloud. | ### Task 3: Create a pass-through authentication journey 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Journeys > + New Journey and set at least the following before clicking Save: | Field | Value | | --------------- | --------------------------- | | NAME | `PTA with password capture` | | Identity Object | `managed/alpha_user` | 3. Drag the following nodes onto the journey editor canvas: * Page node containing: * Platform Username node * Platform Password node * Data Store Decision node * Passthrough Authentication node * Identify Existing User node * Required Attributes Present node * Patch Object node * Increment Login Count node * Inner Tree Evaluator node 4. Connect the nodes, clicking Save from time to time to keep your work: ![Pass-through authentication journey layout](_images/passthrough-authentication/pta-journey.png) | Source node | Outcome path | Target node | | ----------------------------------------------------------------------- | --------------- | -------------------------------- | | Start (person icon) | → | Page node | | Page node containing:- Platform Username node - Platform Password node | → | Data Store Decision node | | Data Store Decision node | `True` | Increment Login Count node | | | `False` | Passthrough Authentication node | | Passthrough Authentication node | `Authenticated` | Identify Existing User node | | | `Missing Input` | Page node | | | `Failed` | Failure node | | Identify Existing User node | `True` | Required Attributes Present node | | | `False` | Failure node | | Required Attributes Present node | `True` | Patch Object node | | | `False` | Increment Login Count node | | Patch Object node | `Patched` | Increment Login Count node | | | `Failed` | Increment Login Count node | | Increment Login Count node | → | Inner Tree Evaluator node | | Inner Tree Evaluator node | `True` | Success node | | | `False` | Success node | ### Task 4: Adjust node settings for the journey Adjust the settings for the specified nodes as follows: 1. Configure these Page node settings and click Save: | Field | Value | | ---------------- | --------------------------------------------------------------- | | Page Header | Key: `en`, Value: `Sign on` | | Page Description | Key: `en`, Value: `This page uses pass-through authentication.` | | All other fields | Accept the default settings, leaving the fields blank. | 2. Configure these Passthrough Authentication node settings and click Save: | Field | Value | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | System Endpoint | The name of the connector for the provisioning application.To find the name of the connector:1) Log in to the Advanced Identity Cloud admin console as an administrator. 2) Select Native Consoles > Identity Management. 3) On the Identity Management page, select Configure > Connectors. 4) Find the MSGraphAPI Connector. It is named like the application, but the connector name does not include spaces; for example, an application named Microsoft Entra ID has a connector named `MicrosoftEntraID`. | | Object Type | Enter `User`.To find the name of the object type:1) On the Identity Management page, select Configure > *Connector Name* > Object Types. 2) Find the available types in the list. | | Identity Attribute | Keep `userName`. | | Password Attribute | Keep `password`. | 3. Configure these Identify Existing User node settings and click Save: | Field | Value | | ------------------ | ----------------- | | Identifier | Keep `userName`. | | Identity Attribute | Enter `userName`. | 4. Configure these Required Attributes Present node settings and click Save: | Field | Value | | ----------------- | -------------------- | | Identity Resource | `managed/alpha_user` | 5. Configure these Patch Object node settings and click Save: | Field | Value | | ------------------ | -------------------- | | Patch As Object | Enable. | | Identity Resource | `managed/alpha_user` | | Identity Attribute | Keep `userName`. | 6. Configure these Inner Tree Evaluator node settings and click Save: | Field | Value | | --------- | ---------------------------- | | Tree Name | Select `ProgressiveProfile`. | Check in At this point, you have: | | | | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Signed on as the test user](#passthrough-authentication-task-1) and recorded the credentials. | [icon: check, set=fa][Confirmed the test user](#passthrough-authentication-task-2) is provisioned in Advanced Identity Cloud. | | [icon: check, set=fa][Prepared a journey](#passthrough-authentication-task-3) and connected the nodes. | [icon: check, set=fa][Configured passthrough authentication nodes](#passthrough-authentication-task-4). | ### Task 5: Adjust password policy settings When Advanced Identity Cloud updates a password, it checks the password policy to prevent weak passwords. Pass-through authentication has no way of ensuring a remote password is valid according to the Advanced Identity Cloud policy. Default Microsoft Entra ID password policies don't necessarily match the default Advanced Identity Cloud password policy. Adjust the Advanced Identity Cloud password policy appropriately to avoid rejecting valid Microsoft Entra ID passwords: 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Security > Password Policy. 3. Adjust the settings to avoid rejecting valid Microsoft Entra ID passwords. 4. Click Save. | | | | - | ------------------------------------------------------------------- | | | This changes the password policy for *all identities in the realm*. | ### Task 6: Allow public client flows in Microsoft Entra ID Update the Microsoft Entra ID application Advanced Identity Cloud uses for provisioning. This change allows the Advanced Identity Cloud connector to authenticate to Microsoft Entra ID with the username and password: 1. Sign on to the Microsoft Entra ID tenant as administrator. 2. Select Home > App registrations > *Microsoft Entra ID application*. 3. In the App registrations page, change Authentication > Advanced settings > Allow public client flows to Yes. 4. Click Save. Check in At this point, you have: | | | | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Signed on as the test user](#passthrough-authentication-task-1) and recorded the credentials. | [icon: check, set=fa][Confirmed the test user](#passthrough-authentication-task-2) is provisioned in Advanced Identity Cloud. | | [icon: check, set=fa][Prepared a journey](#passthrough-authentication-task-3) and connected the nodes. | [icon: check, set=fa][Configured passthrough authentication nodes](#passthrough-authentication-task-4). | | [icon: check, set=fa][Aligned password policy settings](#passthrough-authentication-task-5). | [icon: check, set=fa][Allowed public client flows](#passthrough-authentication-task-6) in Microsoft Entra ID. | ## Validation You are ready to validate the pass-through authentication journey. ### Steps Validate authentication in each of the following ways. #### Default login before Check the user cannot log in to Advanced Identity Cloud. Advanced Identity Cloud doesn't have the user's password: 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Journeys > Login and copy the Preview URL. 3. Paste the URL into an incognito window. Use incognito mode for testing to avoid caching issues. No current sessions interfere with your test. The login page for the tenant displays. 4. Log in as the test user. Log in fails. #### Pass-through authentication Log in with the user's Microsoft Entra ID credentials, providing the username and password. After Advanced Identity Cloud verifies the credentials in Microsoft Entra ID, it stores the captured password in the user's profile: 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Journeys > Pass-through authentication with password capture and copy the Preview URL. 3. Paste the URL into an incognito window. The login page for the pass-through authentication journey displays. 4. Log in as the test user. Behind the scenes, the journey proceeds as follows: 1. The Data Store Decision node fails to authenticate the user. 2. The Passthrough Authentication node tests the username and password through the connector to Microsoft Entra ID. You provided the correct credentials, so the test succeeds. The node has confirmed the password is valid. 3. The Identify Existing User node finds the provisioned test user in Advanced Identity Cloud. 4. The Required Attributes Present node checks the shared node state has the `managed/alpha_user` attributes needed for a minimally complete user profile. 5. The Patch Object node updates the test user profile with the required attributes, capturing the valid password. 6. The Increment Login Count node updates the login count. 7. The Inner Tree Evaluator node invokes the `ProgressiveProfile` journey. 8. The journey succeeds and the test user profile displays. #### Default login after Advanced Identity Cloud captured the user password during the pass-through authentication journey. The user can now log in to Advanced Identity Cloud directly: 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Journeys > Login and copy the Preview URL. 3. Paste the URL into an incognito window. The login page for the tenant displays. 4. Log in as the test user. Log in succeeds. ### Video of validation **Video (Brightcove)** \ ## Explore further ### Reference material | Reference | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | | [Task 2: Explore the platform](../getting-started/getting-started-explore-platform.html) | Get to know the Advanced Identity Cloud admin console. | | [Azure AD provisioning](../app-management/provision-an-application.html#provision-azure-ad) | Learn about connecting Advanced Identity Cloud to Microsoft Entra ID. | | [Pass-through authentication](../identities/pass-through-authentication.html) | Read about alternative pass-through authentication methods. | | [Tutorial: Register an app with Microsoft Entra ID](https://learn.microsoft.com/en-us/power-apps/developer/data-platform/walkthrough-register-app-azure-active-directory) | Refer to this Microsoft Entra ID documentation for details. | ### Nodes used | | | | - | ----------------------------------------------------------------------- | | | The following nodes are listed in the order they appear in the journey. | * [Page node](https://docs.pingidentity.com/auth-node-ref/latest/page.html) * [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html) * [Platform Password node](https://docs.pingidentity.com/auth-node-ref/latest/platform-password.html) * [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/latest/data-store-decision.html) * [Pass-through Authentication node](https://docs.pingidentity.com/auth-node-ref/latest/passthrough-authentication.html) * [Identify Existing User node](https://docs.pingidentity.com/auth-node-ref/latest/identify-existing-user.html) * [Required Attributes Present node](https://docs.pingidentity.com/auth-node-ref/latest/required-attributes-present.html) * [Patch Object node](https://docs.pingidentity.com/auth-node-ref/latest/patch-object.html) * [Increment Login Count node](https://docs.pingidentity.com/auth-node-ref/latest/increment-login-count.html) * [Inner Tree Evaluator node](https://docs.pingidentity.com/auth-node-ref/latest/inner-tree-evaluator.html) * [Success node](https://docs.pingidentity.com/auth-node-ref/latest/success.html) * [Failure node](https://docs.pingidentity.com/auth-node-ref/latest/failure.html)