Staged rollout password hash sync

Question

Hello

I recently enabled this feature. Its not working at all. If from chrome if i go to the azure portal or the O365 portal, i get redirected back to my onprem ADFS environment. The procedure to enable staged rollout was simple, so i dont understand why this is not working as described? I also confirmed that passwords are syncing to azure AD from onprem. Is there anything i can check that could explain why this feature is not working ?

Answer 1

@skip hofmann , It would be hard to tell whether, its broken somewhere or not working because of any steps being missed while deploying it. It would be great if you can recheck the steps I am sharing below just to make sure we are configuring it correctly.

Step 1: Make sure you have create a group with users in it and the users are not a part of any nested groups.

Step 2: Nested Groups and Dynamic groups are not supported.

Step 3: Users will experience the new signin experience only if there existing tokens are invalidated and their earlier sessions have expired. You can try testing it in the incognito mode/ inprivate browsing mode present in the browsers. You can also try revoking the tokens using Revoke-AzureADUserAllRefreshToken PowerShell cmdlet.

Step 4: Make sure that the synced users with which you are testing are not Global Admins in the tenants. We recommend using non-privileged synced users.

Step 5: You can only use maximum of 10 groups per feature i.e each for Password hash Sync and Pass Through Authentication

Do let me know if these points are present in your test so that we can plan the next steps accordingly.

If this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer if the above response helped in answering your query.

Answer 2

Hello

I get the following error when i run the command

Revoke-AzureADUserAllRefreshToken : Error occurred while executing RevokeUserAllRefreshTokens
Code: Request_BadRequest
Message: An error occurred while processing the invalidating refresh tokens request.
RequestId: f11c7fb1-38e5-425a-8cb3-dc26450f4562
DateTimeStamp: Wed, 11 Mar 2020 14:44:57 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1

• Revoke-AzureADUserAllRefreshToken -ObjectId "79ba026c-1c52-4005-8292- ...
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• CategoryInfo : NotSpecified: (:) [Revoke-AzureADUserAllRefreshToken], ApiException
• FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RevokeU
  serAllRefreshTokens

Answer 3

@skip hofmann , That's strange. I believe it would have to be worked on over a call to understand where the failure happening. I believe you had posted one more post today in Microsoft Q&A. It would be great if you can open a case with the support team so that they can take a look into the issue while on call with you.

Do let us know if you have a valid Azure subscription and if you can open a case from that subscription. If not do let us know so that we can help in getting a one time free case created for you to help you fix this issue sooner.

You can share the following information in an email and send it to azcommunity'at'microsoft'dot'com:

• Tenant ID:
• Azure Subscription ID:

Once we have the following information, I would work upon creating the case for you.

Answer 4

I have already opened up a case . Case # is 120031124001687 Just waiting for a call back