Pass-through authentication is an authentication method that, like standard synchronized identity, replicates account information to Azure AD. However, with the default pass-through authentication configuration, no password hashes are synchronized. Instead, password validation happens in the on-premises environment. 

After this option has been configured, Azure AD Connect installs an authentication agent on the Azure AD Connect server that maintains a persistent outbound connection to Azure AD. Azure AD authentication agents register with the Azure AD service. Since pass-through authentication relies on on-premises infrastructure to validate login requests, it is recommended to install multiple pass-through authentication agents for redundancy. The Azure AD authentication agent's service communication is secured with public-key cryptography. Each agent has its own public and private key, both of which are used in the authentication process.

When a user attempts to sign in to a resource protected by Azure AD authentication, the sign-in process encrypts the user's identity with the public keys of all of the registered Azure AD authentication agents and places this request in a queue. Through the persistent connection maintained by the Azure AD Connect authentication agent, an on-premises agent picks up the request in the queue, decrypts it with its private key, and validates the credential against the on-premises Active Directory. The response (success, failure, password expired, or locked out) is returned to the Azure AD service to complete the sign-in process.

Azure AD pass-through authentication only requires outbound connectivity on port 443 from the Azure AD Connect server (and any additional servers where redundant pass-through authentication agents have been configured).