Azure AD Connect – How to extend your Active Directory Domain to Azure AD ? Part 1 | Password Hash Synchronization

azure-ad-authn-image2

The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.

With PHS, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD, allowing Azure AD to authenticate users with no interaction with the on-premises Active Directory. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD in near real-time so that your users can always use the same password for cloud resources and on-premises resources. The clear-text passwords are never sent to Azure AD or stored in Azure AD.

Key points

  • Effort. Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
  • Cost. Azure AD Connect is free to use and is the tool you use to configure the PHS settings.
  • Sync considerations. Currently, password hash synchronization doesn’t immediately enforce changes in on-premises account states. In this situation, a user has access to cloud apps until the user account state is synchronized to Azure AD. Organizations might want to overcome this limitation by running a new synchronization cycle after administrators do bulk updates to on-premises user account states. An example is disabling accounts.
  • User experience. To improve users’ sign-in experience use Seamless SSO that will eliminates unnecessary prompts when users are signed in.
  • Hybrid scenarios. You can add an extra layer to use insights from identities by enabling Identity Protection reports in Azure. This require a P2 premium edition. Also, Windows Hello Business is another solution. Finally, you can integrate Account lockout with the Azure Smart Lockout feature, that can be configured to match your on-premises Active Directory account lockout settings.
  • MFA Considerations. Organizations that require multi-factor authentication with password hash synchronization must use Azure AD multi-factor authentication. Those organizations can’t use third-party or on-premises multi-factor authentication methods.
  • Business continuity. Using password hash synchronization with cloud authentication is highly available as a cloud service that scales to all Microsoft data centers. To make sure password hash synchronization does not go down for extended periods, deploy a second Azure AD Connect server in staging mode in a standby configuration.

Password Hash Synchronization Considerations

Password complexity

When password synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use any password considered valid in your environment to access Azure AD services.

Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

Password expiration policy

If a user is in the scope of password synchronization, the cloud account password is set to Never Expire. Users can continue to sign in to cloud services by using a synchronized password that is expired in the on-premises environment. The cloud password is updated the next time the password is changed on-premises.

Account expiration

If your organization uses the accountExpires attribute as part of user account management, be aware that this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD.

User must change password at next logon

When the option “User must change password at next logon” is selected for an account, the password is not synchronized to Azure AD. In this case, the user needs to change the password on-premises to allow the new password to be synchronized. This can be done directly on a domain-joined device.

Account Lockout

The account locked status is not synchronized to Azure AD. If an account is locked out on-premises, authentication to Azure AD won’t be affected and will continue working. Account lockout in Azure AD is provided by the Smart Lockout feature, that can be configured to match your on-premises Active Directory account lockout settings.

 

Comparing methods

Consideration Password hash synchronization + Seamless SSO Pass-through Authentication + Seamless SSO Federation with AD FS
Where does authentication happen? In the cloud In the cloud after a secure password verification exchange with the on-premises authentication agent On-premises
What are the on-premises server requirements beyond the provisioning system: Azure AD Connect? None One server for each additional authentication agent Two or more AD FS servers

Two or more WAP servers in the perimeter/DMZ network

What are the requirements for on-premises Internet and networking beyond the provisioning system? None Outbound Internet access from the servers running authentication agents Inbound Internet access to WAP servers in the perimeter

Inbound network access to AD FS servers from WAP servers in the perimeter

Network load balancing

Is there an SSL certificate requirement? No No Yes
Is there a health monitoring solution? Not required Agent status provided by Azure Active Directory admin center Azure AD Connect Health
Do users get single sign-on to cloud resources from domain-joined devices within the company network? Yes with Seamless SSO Yes with Seamless SSO Yes
What sign-in types are supported? UserPrincipalName + password

Windows Integrated Authentication by using Seamless SSO

Alternate login ID

UserPrincipalName + password

Windows Integrated Authentication by using Seamless SSO

Alternate login ID

UserPrincipalName + password

sAMAccountName + password

Windows Integrated Authentication

Certificate and smart card authentication

Alternate login ID

Is Windows Hello for Business supported? Key trust model

Certificate trust model with Intune

Key trust model

Certificate trust model with Intune

Key trust model

Certificate trust model

What are the multifactor authentication options? Azure MFA

Custom Controls with conditional access*

Azure MFA

Custom Controls with conditional access*

Azure MFA

Azure MFA server

Third-party MFA

Custom Controls with conditional access*

What user account states are supported? Disabled accounts
(up to 30-minute delay)
Disabled accounts

Account locked out

Password expired

Sign-in hours

Disabled accounts

Account locked out

Password expired

Sign-in hours

What are the conditional access options? Azure AD conditional access Azure AD conditional access Azure AD conditional access

AD FS claim rules

Is blocking legacy protocols supported? Yes Yes Yes
Can you customize the logo, image, and description on the sign-in pages? Yes, with Azure AD Premium Yes, with Azure AD Premium Yes
What advanced scenarios are supported? Smart password lockout

Leaked credentials reports

Smart password lockout Multisite low-latency authentication system

AD FS extranet lockout

Integration with third-party identity systems

Where to verify Current User Sign-in settings in your environment.

Verify your current user sign-in settings by logging into the Azure AD portal https://aad.portal.azure.com with a Global Administrator account.

1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s