In Part 1, we built the Bridge (Entra Connect) between our physical City Hall and our Satellite Colony in the cloud. But now we face a crucial architectural decision: Who checks the ID cards?

When a citizen stands at the Satellite gate (logging into Office 365), do they use a copy of their ID kept at the station, or does the station have to call City Hall to verify them every single time?

This is the choice between Password Hash Synchronization (PHS) and Pass-Through Authentication (PTA).

1. Password Hash Sync (PHS): The “Fingerprint” Method

With PHS, your local City Hall takes a “mathematical fingerprint” (a hash) of a user’s password, encrypts it further, and sends it to the Satellite.

• How it works: When a user logs in to the cloud, Entra ID checks the fingerprint it already has on file.
• The Big Advantage: Resilience. If a storm knocks out the power to your physical City Hall (on-prem servers), your users can still work in the cloud. The Satellite is independent.
• The “Mindful” Fact: Microsoft Entra ID never actually sees your “clear-text” password. It only sees the scrambled math.

2. Pass-Through Authentication (PTA): The “Live Call” Method

With PTA, the Satellite Colony doesn’t keep any record of the password. Instead, it has a direct secure tunnel back to your local Domain Controllers.

• How it works: When a user logs in, the cloud passes the credentials through the tunnel. Your local DC says “Yes” or “No,” and the cloud lets them in.
• The Big Advantage: Real-Time Control. If you disable a user in your office, they are blocked from the cloud the very next second. There is no “sync delay.”
• The Trade-off: If your local internet goes down or your servers crash, nobody can log in to the cloud. Your Satellite becomes a ghost town because it can’t “call home.”

3. Which one should you choose?

• Choose PHS if: You want the highest availability and a “set-it-and-forget-it” approach. It is the recommended path for 90% of organizations.
• Choose PTA if: Your security policy strictly forbids password metadata (even scrambled hashes) from ever leaving your physical building.

The Architect’s Reflection

In our lives, we often struggle between Trust and Control.

PHS is an act of Trust. We provide the “Satellite” with what it needs to function independently, allowing the system to be resilient even when we aren’t around. PTA is an act of Control. We want to be the final word on every decision, even if it makes the system more fragile.

A Mindful Architect looks for the balance. Total control often leads to exhaustion and a “single point of failure.” True resilience comes from building systems (and lives) that can function beautifully even when the main “City Hall” is temporarily quiet.

Security is important, but availability is the breath of the network.

Next in the Series: Seamless SSO — The magic of the invisible login.

Which heartbeat does your city use? Are you a fan of the “Always-Connected” PTA, or do you prefer the “Cloud-Resilient” PHS? Let’s talk about your choice in the comments!

#PHS #PTA #EntraID #AzureAD #ActiveDirectory #IdentityManagement.