none
Get hashed password from AAD

    Question

  • Is there API to get hashed password from AAD? I tried to get UserProfile using MS Graph API, but it is null.

    Azure AD Connect will sync hashed password, so there should be API, but I cannot find.

    Monday, May 1, 2017 4:58 PM

Answers

  • I can only think of one plausible way, but have never tried and probably not supported. If you enable Azure AD Domain Services, then you will get an Active Directory domain controller. When your users changes their password in Azure AD, the AD password hash will be written and updated on the DC. If you install some program on the DC, you should be able to read the password hash, just as you can do in on-prem AD. You should then be able to write that back to Samba.

    This is definitely not easy. Reading password hashes requires you to have replicate directory changes all permissions to you AD and I have no idea if that is supported with Azure AD domain services. You also need to write your password hash extraction in C, C++ or some other native language. AD does not allow you to read password hashes with .Net.

    Does Samba allow you to federate? Then it might be easier to have your Samba server trust Azure AD as an IDP.

    Thursday, May 4, 2017 6:16 PM

All replies

  • You don't have access to password data, hashes included.
    Monday, May 1, 2017 7:08 PM
  • Thanks for reply.

    So Azure AD Connect using propriety API, right?

    We want to develop a program which sync from Azure AD to local Samba DC.
    • Edited by Hagi7707 Tuesday, May 2, 2017 5:22 PM
    Tuesday, May 2, 2017 5:06 PM
  • Connect goes in the other direction. It reads the password hashes in on-prem AD (which is public APIs) and sets it in Azure AD. Connect does not read password hashes in Azure AD. These hashes are not the same as in on-prem AD anyways so it wouldn't help at all even if there was such an API (which there isn't).

    For password writeback (an Azure AD Premium feature) the encrypted password is sent synchronously to the Connect server as part of the reset/change operation. You cannot read the Azure AD password in any way.

    It should be possible to use Connect and password reset/change to your Samba server. It hasn't been tested by Microsoft, but if Samba has the correct interfaces I see no reason why it wouldn't work. That would require Azure AD Premium licenses though.

    Wednesday, May 3, 2017 10:10 AM
  • Thanks Andreas, Now I am clear the limitation.

    Can Azuare AD authorize with username and hashed-password? ADAL has acquireTokenWithUsernamePassword(), if in any way, is it possible to implement equivalent function as acquireTokenWithUsernamePasswordHash()?

    Wednesday, May 3, 2017 4:42 PM
  • Never heard of and it sounds technically implausible. The hashing in Azure AD is not the same as in AD so I can't see how that even possibly would work.

    Going back to the beginning, what is the scenario you are trying to solve?

    If for some reason you can't authenticate with username/password in Azure AD, maybe you can use federation instead? Then you would authenticate on-prem and could then use the federation ticket to authenticate with Azure AD. But it depends on what you are trying to do.

    • Proposed as answer by SamCoganMVP Thursday, May 4, 2017 10:31 AM
    Thursday, May 4, 2017 7:19 AM
  • What we want to solve is below.

    We are Office365 subscriber, so our users are managed in Azure AD. We also have Samba server on-prem.

    Currently Samba server has own local user database. (We don't user Samba-AD now.) We want to consolidate two user database into Azure-AD.

    So I planned to modify auth module in samba and use Azure-AD as auth provider. It is easy to authenticate using Azure-AD with username and plain-text password, however client Windows does not send plain-text password. So I was trying get hashed password from Azure-AD and put into local user database.

    I will appreciate any suggestion.

    Thursday, May 4, 2017 4:56 PM
  • I can only think of one plausible way, but have never tried and probably not supported. If you enable Azure AD Domain Services, then you will get an Active Directory domain controller. When your users changes their password in Azure AD, the AD password hash will be written and updated on the DC. If you install some program on the DC, you should be able to read the password hash, just as you can do in on-prem AD. You should then be able to write that back to Samba.

    This is definitely not easy. Reading password hashes requires you to have replicate directory changes all permissions to you AD and I have no idea if that is supported with Azure AD domain services. You also need to write your password hash extraction in C, C++ or some other native language. AD does not allow you to read password hashes with .Net.

    Does Samba allow you to federate? Then it might be easier to have your Samba server trust Azure AD as an IDP.

    Thursday, May 4, 2017 6:16 PM
  • Thanks. Now I realize difficulty, especially with basic Office365 subscription. 

    We will research if other Id provider can solve, or we can build our own IDP. If so, can we configure O365 to authenticate use using external (non-microsoft) IDP?

    Friday, May 5, 2017 12:31 AM
  • Yes. Over 20 non-Microsoft federation servers have been tested already. The list is here:
    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-compatibility

    If you read the Shibboleth configuration guide, it gives you some ideas how it can be done:
    https://msdn.microsoft.com/en-us/library/azure/jj205456.aspx

    Friday, May 5, 2017 5:45 AM