Azure AD Password Hash Synchronization (PHS)

With Azure AD Connect you can synchronize data from your on-premises Active Directory with Azure AD. Password sync is enabled by default when configuring AD Connect. This allows on-premises AD users to use a single login to authenticate on Microsoft Azure cloud services.

User passwords in Windows Active Directory are not stored in clear text. They are stored as a hash that is generated from the password using the SHA256-based hash algorithm.

Note. This means that it is not possible to get the clear text password of an AD user from the ntds.dit database. Only the password hash is available.

For added security, password hashes are encrypted in transit to Azure AD (using SSL/TLS). In a healthy AD infrastructure, the user’s password is being synchronized with Azure AD every 2 minutes. If you change your password in on-prem AD, it will be in Azure in two minutes.

To set up sync with Azure AD tenant and on-premises Active Directory, you need to download and install AzureADConnect.

Hint. AzureADConnect replaces DirSync that was used for synchronization previously.

Requirements for the server on which AzureADConnect is installed:

  • Windows Server 2012 R2 or newer;
  • .Net Framework 4.5;
  • Availability to access to Azure and static public IP address;
  • It is not recommended to install AzureADConnect on domain controllers or ADFS servers.
  1. Download and run the AzureADConnect.msi;
    password hash synchronization
  2. Accept the license agreement;
  3. You can use Express installation (recommended), or customize the installation parameter by pressing the Customize button. In Customize mode, you can change the installation directory, specify the SQL server (by default a local instance of SQL Server Express is installed, the Azure AD Sync database is stored in the directory C:\Program Files\Microsoft Azure AD Sync), select a service account for Microsoft Azure AD Sync service, change directory sync permissions);
    password hash sync
  4. Select Single Sign on method – Password Synchronization;
    azure password hash sync
  5. Specify the credentials of an Azure account with Global Admin permissions to connect to the tenant; Note. Microsoft recommends using an account with the UPN suffix tenant.onmicrosoft.com, with a permanent password, and without Multi-Factor Authentication (MFA). If the password for this account expires in Azure AD, then Azure AD Connect sync will break.
    enable password hash synchronization
  6. Then the user account with Enterprise Admins permissions in the on-premActive Directory is specified;
    azure ad connect password hash sync
  7. Choose a way to identify users > Users are represented only once across all directories;
    password hash sync azure ad
  8. You can synchronize only one user group with AzureAD (users must be added directly to this group, nested AD groups users are not synchronized). If you select the Synchronize all users and devices option, you can later use the Synchronization Service Manager tool to customize sync directory partitions (is a part of the AzureADConnect installation);
    azure ad connect password hash
  9. Select additional options. Password hash synchronization is selected by default. Select the Password writeback option if you want to allow your users to reset their on-premises AD passwords from Azure;
    ad connect password hash synchronization
  10. If you want to start an immediate synchronization, enable the Start the synchronization process as soon as the configuration completes option (it may take a significant amount of time depending on the size of your on-premises AD database).
    azure ad password hash
READ ALSO  How to Raise Active Directory Domain and Forest Functional Level?

After the AzureADConnect installation is complete, a new Azure AD Sync Scheduler task appears in Task Scheduler.

azure ad password hash synchronization

Hint. You can manage other Azure AD sync settings.

To verify that the passwords are correctly synchronized with Azure AD, you can use the PowerShell cmdlet from the AAD Connect module:

Import-Module adsync

Invoke-ADSyncDiagnostics -PasswordSync

You also need to pay attention to the events Event ID 611, 657 on the Sync server. When they appear, it is recommended to force synchronization using the following PowerShell script:

#$adConnector and $aadConnector are case-sensitive parameters

$adConnector  = “theitbros.com”

$aadConnector = “theitbros.onmicrosoft.com – AAD”

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

This PowerShell script starts a full password sync to Azure including legacy password hashes (NTLM).

Cyril Kardashevsky
READ ALSO  The Processing of Group Policy Failed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.