🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-300 Domain 1
Domain 1 — Module 8 of 8 100%
8 of 27 overall

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free
Domain 1: Implement and Manage User Identities Premium ⏱ ~14 min read

Hybrid Authentication: PHS, PTA & Seamless SSO

Choose the right authentication method for hybrid environments — password hash sync, pass-through authentication, or federation — and plan your AD FS migration.

The hybrid authentication decision

☕ Simple explanation

When cloud and on-prem meet, someone has to check the password. The question is: who?

Three options:

  • Password Hash Sync (PHS) — Copy a scrambled version of passwords to the cloud. Entra checks the password directly. Like giving a copy of your house key to a trusted neighbour.
  • Pass-Through Auth (PTA) — Entra asks your on-prem AD to check the password in real-time. The password never leaves your building. Like calling your landlord to verify a visitor.
  • Federation (AD FS) — A separate server handles all authentication. Everything goes through it. Like having a dedicated security guard at the front gate.

Hybrid authentication determines where password validation happens when users sign in to cloud resources. Microsoft Entra supports three methods:

  • Password hash synchronisation (PHS) — a hash of the on-prem password hash is synced to Entra ID, enabling cloud-side authentication
  • Pass-through authentication (PTA) — authentication requests are forwarded to on-prem AD agents in real-time
  • Federation with AD FS — all authentication is redirected to on-premises Active Directory Federation Services

Microsoft recommends PHS as the primary method, with PTA for organisations that require on-premises password validation. AD FS federation is legacy and should be migrated away from.

The three methods compared

FeaturePassword Hash Sync (PHS)Pass-Through Auth (PTA)Federation (AD FS)
Where passwords are validatedIn the cloud (Entra ID)On-premises (AD agents)On-premises (AD FS servers)
Password stored in cloud?Hash of hash (not plaintext)Never — validated on-premNever — validated on-prem
On-prem dependencyNone (works if on-prem is down)Yes — needs running agentsYes — needs running AD FS servers
Infrastructure requiredEntra Connect onlyEntra Connect + PTA agentsAD FS servers + WAP proxies
Supports ID Protection
Supports leaked credentials detection
On-prem password policies enforcedAt sync time (not real-time)Real-timeReal-time
Smart lockoutCloud-basedCloud + on-premOn-prem only
ComplexityLowMediumHigh
Microsoft recommendationPrimary choiceWhen on-prem validation requiredMigrate away

Password Hash Synchronisation (PHS)

How it works:

  1. Entra Connect reads the password hash from on-prem AD
  2. Applies an additional hashing algorithm (SHA-256)
  3. Syncs the derived hash to Entra ID
  4. When a user signs in, Entra compares the entered password hash against the stored hash

Why Microsoft recommends PHS:

  • Simplest — no extra infrastructure
  • Most resilient — works even if on-prem is completely down
  • Enables ID Protection — leaked credentials detection requires cloud-stored hashes
  • No real-time on-prem dependency — sign-in doesn’t fail if your network goes down
💡 Exam tip: PHS is NOT storing plaintext passwords

A common misconception the exam tests: PHS does NOT store your actual password in the cloud. It stores a hash of the hash (double-hashed with SHA-256). Even if the hash were compromised, deriving the original password is computationally infeasible.

The trade-off: password changes on-prem take up to 2 minutes to sync to the cloud. PHS runs its own dedicated sync cycle every ~2 minutes, independent of the 30-minute delta sync. During that window, the old password still works in the cloud.

Pass-Through Authentication (PTA)

How it works:

  1. User enters credentials at the Entra sign-in page
  2. Entra encrypts the password and puts it in a queue
  3. An on-prem PTA agent picks up the request
  4. The agent validates the password against on-prem AD
  5. Result (success/failure) is returned to Entra

When to choose PTA:

  • Regulatory or security policy requires passwords to NEVER leave on-premises
  • You need real-time enforcement of on-prem password policies, account lockouts, and logon hours
  • Certain compliance frameworks (healthcare, government) mandate on-prem password validation

PTA agent deployment:

  • Install at least 2-3 agents for high availability (if one agent fails, others take over)
  • Agents connect outbound to Azure Service Bus — no inbound firewall rules needed
  • Agents must be installed on domain-joined Windows Servers
ℹ️ Scenario: Priya chooses PTA for clinical systems

Meridian Health’s security policy states: “Patient data system credentials must not be stored outside the hospital network.” This eliminates PHS for clinical staff.

Priya deploys PTA:

  • Three PTA agents across Auckland, Wellington, and Christchurch data centres
  • If the Auckland agent goes down, Wellington and Christchurch handle authentication
  • On-prem AD logon hour restrictions are enforced in real-time (nurses can’t sign in outside their shift)

But she also enables PHS as a backup. If ALL PTA agents are offline (e.g., national network outage), Entra can fall back to PHS. This requires enabling both — PHS runs alongside PTA.

Seamless SSO

Seamless SSO eliminates password prompts for users on domain-joined devices inside the corporate network. It works with both PHS and PTA.

How it works:

  1. User signs in to their domain-joined device (Kerberos ticket obtained)
  2. User opens a browser and navigates to a cloud app
  3. The browser sends a Kerberos authentication request
  4. Entra Connect has created a computer account (AZUREADSSOACC) in on-prem AD
  5. The Kerberos ticket is validated against this account
  6. User is silently signed in — no password prompt

Requirements:

  • Domain-joined devices (Windows)
  • Users must be on the corporate network (or VPN)
  • Works with PHS or PTA (not needed with AD FS — it has its own SSO)
  • The AZUREADSSOACC computer account’s Kerberos decryption key must be rotated regularly (every 30 days recommended)
💡 Exam tip: seamless SSO limitations

Seamless SSO only works on domain-joined devices on the corporate network. It does NOT work:

  • On Entra Joined (cloud-only) devices — they already have SSO via Primary Refresh Token
  • On personal/BYOD devices
  • On macOS, iOS, or Android
  • When the user is off-network (unless on VPN)

The exam tests these limitations. If a question mentions “personal laptop from home,” seamless SSO is not the answer.

Migrating from AD FS

Microsoft actively recommends migrating from AD FS to PHS or PTA. AD FS is complex, requires on-prem infrastructure, and doesn’t benefit from cloud security features (ID Protection, leaked credentials).

Migration approach (staged rollout):

  1. Enable PHS alongside AD FS (as a safety net)
  2. Use staged rollout to migrate groups of users from AD FS to PHS/PTA
  3. Test each group thoroughly (Conditional Access, MFA, SSO)
  4. Move all users once confidence is high
  5. Decommission AD FS servers
ℹ️ Scenario: Anika migrates a client from AD FS

Anika’s client has been running AD FS for 8 years. Three WAP servers, two AD FS servers, certificates to manage, and a history of outages when the AD FS farm goes down.

Migration plan:

  1. Enable PHS (passwords sync to cloud as a safety net)
  2. Use staged rollout: move the IT department first (50 users)
  3. Monitor for 2 weeks — check sign-in logs, CA policy behaviour
  4. Migrate Finance, then HR, then all remaining users
  5. After 30 days with no issues, decommission AD FS

Result: Simpler infrastructure, cloud-side security features unlocked, no more AD FS certificate emergencies at 2 AM.

🎬 Video walkthrough

🎬 Video coming soon

Hybrid Authentication — SC-300 Module 8

Hybrid Authentication — SC-300 Module 8

~12 min

Flashcards

Question

What does Password Hash Synchronisation (PHS) store in the cloud?

Click or press Enter to reveal answer

Answer

A hash of the on-premises password hash (double-hashed with SHA-256). NOT the plaintext password. This enables cloud-side authentication and features like leaked credentials detection.

Click to flip back
Question

Why might an organisation choose PTA over PHS?

Click or press Enter to reveal answer

Answer

When regulatory or security policies require passwords to never leave on-premises. PTA validates passwords in real-time against on-prem AD — the password is encrypted in transit and never stored in the cloud.

Click to flip back
Question

What is the AZUREADSSOACC computer account?

Click or press Enter to reveal answer

Answer

A computer account created in on-prem AD by Entra Connect for seamless SSO. It holds the Kerberos decryption key. Domain-joined devices use Kerberos tickets validated against this account for silent cloud sign-in. The key should be rotated every 30 days.

Click to flip back
Question

What is the recommended approach to migrate from AD FS?

Click or press Enter to reveal answer

Answer

1) Enable PHS as a safety net, 2) Use staged rollout to migrate user groups from federation to PHS/PTA, 3) Test each group (sign-in logs, CA policies), 4) Move all users, 5) Decommission AD FS servers.

Click to flip back

Knowledge Check

Knowledge Check

An organisation wants users to sign in to cloud apps without entering a password when they're on domain-joined devices at the office. They use password hash sync. What should they enable?
Knowledge Check

A hospital's security policy states that user passwords must never be stored outside the hospital network, even in hashed form. Which authentication method satisfies this requirement?
Knowledge Check

Anika is migrating a client from AD FS to cloud authentication. She wants to test with the IT team first before moving all 2,000 users. Which feature enables this phased approach?
Knowledge Check

An organisation currently uses password hash synchronisation and seamless SSO. Users on domain-joined devices at the office sign in without entering a password. A remote worker on a personal laptop reports they must always enter their password. Why?

Next up: Authentication Methods: Passwords to Passkeys — explore the full toolkit of modern authentication methods from certificate-based auth to FIDO2 passkeys.

← Previous

Hybrid Identity: Connect Sync vs Cloud Sync

Next →

Authentication Methods: Plan & Implement

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.