locked
Pass Hash Synchronization RRS feed

  • Question

  • Hi,

    I have installed Azure AD Connect, during the installation I can see few options.

    Password Hash Syncronization

    Pass through Authentication

    Please correct me if I am wrong:

    Password Hash Syncronization:- with this option, On-premise password hash and cloud password hash will sync to eachother. means If we will change the password from on-premise, it will update automatically on cloud side. If we will change it from cloud then it will change autmomattically on On-premise side. But authentication will be on cloud?

    Pass through Authentication:- please define it for me. thanks

    Regards

    Wednesday, November 13, 2019 2:50 PM

All replies

  • Password hash - yes, if you change it on-prem, then after the next Azure AD Connect sync, it will update in Azure AD. If you enable password writeback feature, then you can change the password in Azure AD, and it will writeback to on-prem AD so that the passwords are the same. See this link for more password writeback info https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

    Passthrough - Its an alternative to password hash synchronization. Users can still login using their on-prem credentials. See https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta for more info

    If you want a comparison of the different methods, see https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn
    Thursday, November 14, 2019 12:09 AM
  • Password hash - yes, if you change it on-prem, then after the next Azure AD Connect sync, it will update in Azure AD. If you enable password writeback feature, then you can change the password in Azure AD, and it will writeback to on-prem AD so that the passwords are the same. 

    If we change the password to On-premise or cloud side then Azure AD connect wizard is compulsory to run for sync the password on both sides? It can not be automatically without Azure AD Wizard?

    For example I have one user 'user1'. I have synced it from on-premise to office 365 or azure AD through Azure AD Connect. During the wizard I selected Password Hash Syncronization and Single Sign-in. In this case, If user1 wants to change his password through O365 or Azure AD. First of all it will check the Password policiies to Onpremise Group policy then it will change the password. When password will change from the 0365 of Azure AD then it will also change from onpremise. right? or after change the password on O365 or Azure AD we will have to run the AD connect wizard then it will able to synced on both sides?

     
    Thursday, November 14, 2019 9:52 AM