The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.
With PHS, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD, allowing Azure AD to authenticate users with no interaction with the on-premises Active Directory. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD in near real-time so that your users can always use the same password for cloud resources and on-premises resources. The clear-text passwords are never sent to Azure AD or stored in Azure AD.
Key points
- Effort. Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
- Cost. Azure AD Connect is free to use and is the tool you use to configure the PHS settings.
- Sync considerations. Currently, password hash synchronization doesn’t immediately enforce changes in on-premises account states. In this situation, a user has access to cloud apps until the user account state is synchronized to Azure AD. Organizations might want to overcome this limitation by running a new synchronization cycle after administrators do bulk updates to on-premises user account states. An example is disabling accounts.
- User experience. To improve users’ sign-in experience use Seamless SSO that will eliminates unnecessary prompts when users are signed in.
- Hybrid scenarios. You can add an extra layer to use insights from identities by enabling Identity Protection reports in Azure. This require a P2 premium edition. Also, Windows Hello Business is another solution. Finally, you can integrate Account lockout with the Azure Smart Lockout feature, that can be configured to match your on-premises Active Directory account lockout settings.
- MFA Considerations. Organizations that require multi-factor authentication with password hash synchronization must use Azure AD multi-factor authentication. Those organizations can’t use third-party or on-premises multi-factor authentication methods.
- Business continuity. Using password hash synchronization with cloud authentication is highly available as a cloud service that scales to all Microsoft data centers. To make sure password hash synchronization does not go down for extended periods, deploy a second Azure AD Connect server in staging mode in a standby configuration.
Password Hash Synchronization Considerations
Password complexity
When password synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use any password considered valid in your environment to access Azure AD services.
Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.
Password expiration policy
If a user is in the scope of password synchronization, the cloud account password is set to Never Expire. Users can continue to sign in to cloud services by using a synchronized password that is expired in the on-premises environment. The cloud password is updated the next time the password is changed on-premises.
Account expiration
If your organization uses the accountExpires attribute as part of user account management, be aware that this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD.
User must change password at next logon
When the option “User must change password at next logon” is selected for an account, the password is not synchronized to Azure AD. In this case, the user needs to change the password on-premises to allow the new password to be synchronized. This can be done directly on a domain-joined device.
Account Lockout
The account locked status is not synchronized to Azure AD. If an account is locked out on-premises, authentication to Azure AD won’t be affected and will continue working. Account lockout in Azure AD is provided by the Smart Lockout feature, that can be configured to match your on-premises Active Directory account lockout settings.
Comparing methods
| Consideration | Password hash synchronization + Seamless SSO | Pass-through Authentication + Seamless SSO | Federation with AD FS |
|---|---|---|---|
| Where does authentication happen? | In the cloud | In the cloud after a secure password verification exchange with the on-premises authentication agent | On-premises |
| What are the on-premises server requirements beyond the provisioning system: Azure AD Connect? | None | One server for each additional authentication agent | Two or more AD FS servers
Two or more WAP servers in the perimeter/DMZ network |
| What are the requirements for on-premises Internet and networking beyond the provisioning system? | None | Outbound Internet access from the servers running authentication agents | Inbound Internet access to WAP servers in the perimeter
Inbound network access to AD FS servers from WAP servers in the perimeter Network load balancing |
| Is there an SSL certificate requirement? | No | No | Yes |
| Is there a health monitoring solution? | Not required | Agent status provided by Azure Active Directory admin center | Azure AD Connect Health |
| Do users get single sign-on to cloud resources from domain-joined devices within the company network? | Yes with Seamless SSO | Yes with Seamless SSO | Yes |
| What sign-in types are supported? | UserPrincipalName + password
Windows Integrated Authentication by using Seamless SSO |
UserPrincipalName + password
Windows Integrated Authentication by using Seamless SSO |
UserPrincipalName + password
sAMAccountName + password Windows Integrated Authentication |
| Is Windows Hello for Business supported? | Key trust model | Key trust model | Key trust model |
| What are the multifactor authentication options? | Azure MFA | Azure MFA | Azure MFA |
| What user account states are supported? | Disabled accounts (up to 30-minute delay) |
Disabled accounts
Account locked out Password expired Sign-in hours |
Disabled accounts
Account locked out Password expired Sign-in hours |
| What are the conditional access options? | Azure AD conditional access | Azure AD conditional access | Azure AD conditional access |
| Is blocking legacy protocols supported? | Yes | Yes | Yes |
| Can you customize the logo, image, and description on the sign-in pages? | Yes, with Azure AD Premium | Yes, with Azure AD Premium | Yes |
| What advanced scenarios are supported? | Smart password lockout | Smart password lockout | Multisite low-latency authentication system |
Verify your current user sign-in settings by logging into the Azure AD portal https://aad.portal.azure.com with a Global Administrator account.
OKTO TECHNOLOGIES 