Password Hash Synchronization with Azure AD Connect
This document provides a detailed overview of Password Hash Synchronization (PHS) in Azure Active Directory (Azure AD) Connect. PHS is a sign-in method that you can configure when you deploy Azure AD Connect.
PHS synchronizes a hash of a user's on-premises password hash to Azure AD. This allows users to sign in to both their on-premises resources and Azure AD-joined or hybrid Azure AD-joined devices and applications with the same username and password.
Note: Password Hash Synchronization is the recommended sign-in method for most hybrid identity scenarios.
How Password Hash Synchronization Works
When a user changes their password on-premises, the following process occurs:
- The on-premises Active Directory Domain Services (AD DS) stores the password hash.
- Azure AD Connect monitors the on-premises AD DS for password hash changes.
- When a change is detected, Azure AD Connect retrieves the new password hash.
- The password hash is then secured and sent to Azure AD.
- Azure AD verifies the password hash against its own directory.
Tip: PHS uses a strong one-way hashing algorithm (SHA-256) to protect password hashes during synchronization. The actual password is never transmitted over the network.
Key Features and Benefits
- Single Identity: Users can use the same credentials for on-premises and cloud resources.
- High Availability: Azure AD provides a highly available and resilient service for authentication.
- Simplified Management: Reduces the need for complex federation infrastructure.
- Seamless Sign-On: Users experience a smooth authentication process.
- Self-Service Password Reset (SSPR): Works seamlessly with Azure AD SSPR capabilities.
Password Hash Synchronization vs. Other Sign-In Methods
| Feature | Password Hash Sync (PHS) | Pass-through Authentication (PTA) | Federation (AD FS) |
|---|---|---|---|
| Authentication Location | Azure AD | On-premises AD DS | Federation Server (e.g., AD FS) |
| Complexity | Low | Medium | High |
| High Availability | High (Azure AD) | Requires on-premises agents | Requires on-premises infrastructure |
| Single Sign-On | Yes | Yes | Yes |
| User Experience | Seamless | Seamless | Can be seamless (depending on configuration) |
Considerations for Implementing PHS
- Password Policy: Azure AD enforces its own password policies in addition to on-premises policies for cloud-only users. For synced users, on-premises policies are primary.
- Password Writeback: To allow users to change their cloud passwords and have them sync back to on-premises AD DS, you need to configure Password Writeback.
- Security: Ensure Azure AD Connect is installed on a secure server and that network ports are properly configured.
Next Steps
To learn more about configuring and managing Password Hash Synchronization, refer to the following resources: