Selective password hash synchronization for Azure AD Connect

When we configure Synchronization between on-prem AD environment and Azure AD (AAD) then the Password Hash Synchronization (PHS) is the default method used for User Authentication. This method synchronizes the ‘hash of the hash of users passwords’ from on-prem to AAD. This has its own merits and demerits. One of the issues could be related to Security as all your passwords hash are stored on Cloud (even though Microsoft assures it is very secure) and the other reason could be that you want to force some local Security and password policies which you cannot if you have only PHS enabled. The alternative is Pass-through Authentication (PTA) which allows users to sign in via their on-prem AD setup. The passwords are also not saved on Azure Cloud. The following authentication flow has been taken from Microsoft.

You may have a requirement in your Company where you want a User or Group of users to use PTA for Security reasons and not PHS. You can configure those users to use Pass-through leaving the rest to use PHS. Here I will show you the steps to separate a user from the group to use PTA.

  1. From Power Shell stop AD Connect Sync

2. Create an editable copy of the In from AD – User AccountEnabled with the option to enable password hash sync un-selected and define its scoping filter

3. Create another editable copy of the default In from AD – User AccountEnabled with the option to enable password hash sync selected and define its scoping filter

4. Re-enable the synchronization scheduler

5. Set the attribute value, in the active directory, that was defined as scoping attribute on the users you want to allow in password hash synchronization.

Start the Synchronization Rules Editor and set the filters Password Sync to On and Rule Type to Standard

Select the rule In from AD – User AccountEnabled for the Active Directory forest you want to configure selective password had hash synchronization on and click Edit. Select Yes in the next dialog box to create an editable copy of the original rule.

Next, create another custom rule with password hash synchronization enabled. Select again the default rule In from AD – User AccountEnabled for the Active Directory forest you want to configure selective password had synchronization on and click Edit. Select yes in the next dialog box to create an editable copy of the original rule.

Provide the following name to the new custom rule: In from AD – User AccountEnabled – Users included for PHS. Change the precedence value to a number lower than the rule previously created (In this example that’ll be 89). Make sure the checkbox Enable Password Sync is checked and the Disabled checkbox is unchecked. Click Next.

Confirm the rules creation. Remove the filters Password Sync On and Rule Type Standard. And you should see both new rules you just created.

Now in Active Directory Users and Computers, I added the ‘adminDescription’ to ‘PHSFiltered’ for the user I wanted to skip PHS.

*To enable this advanced Feature you may have to enable it from View > Advanced Feature

Re-enable Synchronization:

This is now complete. The user which has been assigned the PHSFiltered description will not have his password synced across to Azure Cloud.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: