What should be configured if you want Azure AD users to authenticate using their existing AD DS passwords without storing hashes in Azure AD?

The focus on enabling Azure Active Directory (Azure AD) users to authenticate using their existing on-premises Active Directory Domain Services (AD DS) passwords without the need for storing password hashes in Azure AD points directly to the use of pass-through authentication.

Pass-through authentication allows users to log into Azure AD with their current AD DS credentials. When a user attempts to authenticate, Azure AD sends the authentication request to the on-premises AD DS, which then validates the password without storing any hash values in Azure AD. This setup is beneficial for organizations that want to maintain a consistent user experience across environments while also ensuring that sensitive password data does not leave their on-premises environment.

This method ensures that passwords stay within the bounds of the on-premises infrastructure, providing an added layer of security and compliance as no password data is duplicated or synchronized to the cloud. In contrast, cloud-only identity, Active Directory Federation Services, and password hash synchronization involve different authentication mechanisms or data handling approaches that do not align with the requirement of avoiding storage of password hashes in Azure AD.