If you have an outgoing HTTP proxy, make sure this URL,, is on the allowed list. If not, allow access to the Azure datacenter IP ranges, which are updated weekly.Īvoid all forms of inline inspection and Termination on outbound TLS communications between Azure Passthrough Agent and Azure Endpoint. If your firewall or proxy lets you add DNS entries to an allowlist, add connections to *. and *. If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service. This status is displayed on the Azure portal. Handles all outbound communication with the serviceĪuthentication Agents report their status every ten minutes over port 8080, if port 443 is unavailable. If there is a firewall between your servers and Azure AD, configure the following items:Įnsure that Authentication Agents can make outbound requests to Azure AD over the following ports: Port numberĭownloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate And as best practice, treat all servers running Authentication Agents as Tier 0 systems (see reference). There is a system limit of 40 Authentication Agents per tenant.
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on your tenant. If you already have Azure AD Connect running, ensure that the version is supported. Install the latest version of Azure AD Connect on the server identified in the preceding step. It should be noted that installation of Pass-Through Authentication agent on Windows Server Core versions is not supported. Add the server to the same Active Directory forest as the users whose passwords you need to validate. If not enabled already, enable TLS 1.2 on the server. Identify a server running Windows Server 2016 or later to run Azure AD Connect. Your users can sign in with one of these domain names. Add one or more custom domain names to your Azure AD tenant.Completing this step is critical to ensure that you don't get locked out of your tenant. Learn about adding a cloud-only Hybrid Identity Administrator account. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable.
From a security standpoint, administrators should treat the server running the PTA agent as if it were a domain controller.
0 kommentar(er)
