AADConnect ? Migrating From ADFS To Password Hash synchronization
To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and in chronological order.
AADConnect – migrating from ADFS to password hash synchronization
The actual data flow of the password hash synchronization process is similar to the synchronization of user data. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.
The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the Set-ADSyncAADPasswordSyncConfiguration cmdlet.
When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes.The password hash synchronization feature automatically retries failed synchronization attempts. If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.
When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.
If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. We recommend using a scheduled PowerShell script that disables users' AD accounts, once they expire (use the Set-ADUser cmdlet). Conversely, during the process of removing the expiration from an AD account, the account should be re-enabled.
If you use Azure AD Domain Services to provide legacy authentication for applications and services that need to use Kerberos, LDAP, or NTLM, some additional processes are part of the password hash synchronization flow. Azure AD Connect uses the additional following process to synchronize password hashes to Azure AD for use in Azure AD Domain Services:
If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Azure AD DS. For more information, see Disable weak cipher suites and NTLM credential hash synchronization.
When you install Azure AD Connect by using the Express Settings option, password hash synchronization is automatically enabled. For more information, see Getting started with Azure AD Connect using express settings.
In this article, you learn how to deploy cloud user authentication with either Azure Active Directory Password hash synchronization (PHS) or Pass-through authentication (PTA). While we present the use case for moving from Active Directory Federation Services (AD FS) to cloud authentication methods, the guidance substantially applies to other on premises systems as well.
Next, switch over to password hash synchronization. Before you start, consider in which conditions you should make the switch. Don't make the switch for temporary reasons, like a network outage, a minor AD FS problem, or a problem that affects a subset of your users.
This is a continuation of a series on Azure AD Connect. I started off this Azure AD Connect series by going through the express installation path, where the password hash synchronization (PHS) sign-in option is selected by default. This was followed by the custom installation path where I selected pass-through authentication (PTA) as a user sign-in option. The third blog post on user sign-in was configuring federation with Active Directory Federation Service (AD FS). Links to these are provided in the summary section below.
Changing authentication methods, however, is no trivial task and requires significant planning and testing. Any migration away from ADFS should occur in stages to allow for sufficient testing and potential downtime. At a minimum, organizations should be running Azure AD Connect 1.1.819.0 to successfully perform the steps to migrate to password hash synchronization. The method for switching to PHS depends on how ADFS was originally configured. If ADFS was configured via Azure AD Connect, then the Azure AD Connect wizard must be used. In this situation, Azure AD Connect automatically runs the Set-MsolDomainAuthentication cmdlet and automatically unfederates all the verified federated domains in the Azure AD tenant.
As you can see, an organization looking for a hybrid identity solution from Microsoft Azure has several options. It is critical to understand the problem you are attempting to solve before deciding on which solution (or solutions) to consider. While all three hybrid identity authentication methods provide single sign-on capabilities, other factors must be considered. A company that wants a simple implementation with fewer moving parts should consider using the password hash sync method. However, a highly secure organisation that wishes to keep all authentication on-premises may wish to consider federation or pass-through authentication.
The on-prem Active Directory instance stores each password in the form of a hash value representation of the actual user password. The hash value is calculated from a one-way mathematical function or hashing algorithm. For security reasons, there is no way to reverse-engineer the hash back to the plain text version of a password.
To synchronize a password, Azure AD Connect extracts the password hash from the on-premises AD instance. Additional security processing is also applied to the password hash before the hash is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and they are synchronized in chronological order.
Data flow of the password hash synchronization process is quite similar to the synchronization of user data. However, because passwords change often, they are synchronized more frequently than the standard directory synchronization window for other AD attributes. Password hash synchronization runs every 2 minutes and the frequency of this cycle cannot be modified. As you would expect, when a password is synchronized, it overwrites the existing cloud password.
When an on-prem password is changed, the updated password is synchronized, typically within in a matter of minutes. The password hash synchronization process will automatically retry failed synchronization attempts. When an error does occur during a synchronization attempt, an error is logged in the event viewer.
Pass-through authentication provides better security than password hash synchronization because, with pass-through authentication, on-prem passwords are never stored in the cloud. Additionally, pass-through authentication offers more account protection because it works with Azure AD Conditional Access policies, including multi-factor authentication. Another key benefit of pass-through authentication is the fact that the agent only makes outbound connections from the network. Because there are no inbound connections required, all requirements for a DMZ as part of the solution are removed.
To protect itself against a failure of the ADFS infrastructure when using federation, an organization can leverage password hash synchronization as a backup. By doing so, authentication can continue, despite a failure of the ADFS infrastructure.
At some point you will have enough users migrated to Azure AD SSO and you will transition from using staged rollout and federated authentication to full password hash sync or pass-through authentication. When considering the cutover threshold, keep in mind that any remaining users may be prompted to enroll in Azure MFA (depending on your policies) and will need to re-sign in to their Office 365 apps. But at this point, staged rollout has helped get most of your users to the final state.
Each on-premises Active Directory connector has its own password hash synchronization channel. When a password hash synchronization channel is created and there are no password changes to be synchronized, a heartbeat event is generated every 30 minutes under the Windows Application Event Log. The cmdlet searches for heartbeat events for each AD connector in the past three hours and if no heartbeat event is found, this error is returned.
This error occurs because there is no corresponding object for this AD domain object in the Azure AD tenant. This might happen if the object has not been exported which is why password hash synchronization has failed for this object.
Azure AD Connect stores the results of password hash synchronization attempts on an object for a maximum of seven days. If there are no results available for the selected Active Directory object, the above warning is returned.
Setting up Azure AD Connect password hash synchronization is a complex process. Its configuration and troubleshooting involve multiple steps and commands. ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers password synchronization feature to synchronize passwords between AD and Azure AD. Enabling this feature involves minimal steps as listed below.