Download and install Azure Ad Connect from your tenant
Select “customize”
Don’t select anything
Select “password Hash Sync” because, if you need the Pass-Through Auth, you need an AD with Win 2012 level.
Enable also the SSO.

Insert ID and PW of your 365’s Tenant Admin

Now select your AD and click “Add Directory”

Select “Use existing AD Account” or let AD Connect create it.
Now select the “verified” domain, and if isn’t showed you need to add this “label” into your AD “Domain and Trust” .
Select the OU from wich AAD start to sync in the cloud
Leave default.
Select “Sync all users” becouse we’ve selected the OU before.
In the case, you have not only to sync your AD, but if you need to deploy an enviroment with Exchange Hybryd , select also the first option.
Enable “Password writeback” if you need to permit changing pw from the cloud to the premises
Select “Enter credential” and add an AD account with Admin’s rights.
Select Start and then Install
Now we need to create a GPO to add this two sites ad “trusted”:
In this way, we allow to work with SSO.
GPO sections: Site to Zone Assignment List di User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
That’s it