In our environment, we are using pass though auth for Azure AD but for Azure AD Domain service, we need to enable Password Hash Sync as well. I have few questions on that:
1) Can we enable both PTA and PHS? 2) If above is possible, then which one will be the primary auth? 3) Can we enable PTA for Azure AD and PHS for Azure AD DS? 3) Can we make PHS primary and PTA as manual failover?
Thanks in advance
On
You can enable PHS as a backup through "Customize synchronization options" > connect to Azure and AD > Optional features > PHS.
This will just act as a backup and PTA will remain your primary mode of authentication. Authentication will not fallback to PHS automatically and you would have to manually switch to PHS if needed.
You would need to enable PHS if you intend to use AAD DS and if you want to make PHS the primary mode then PTA has to be disabled at a tenant level and manually enabled when needed.
Currently, it's not possible to enable both PTA and PHS from one AAD Connect.
In the future, there may be have some other light tools for this but it has no ETA from Microsoft Azure AD Product Group.