Hi,
We've recently enabled Password Hash Sync (migrating from ADFS) and were expecting an easy seamless transition, but it's been as enjoyable being punched in the face! We've experienced a ten fold increase in service desk calls and have users complaining on login failures.
We rolled out PHS and Azure SSO by the following:
Enabled PHS around a month ago on AAD Connect and pushed out the AAD SSO URLs to clients at the same time (i.e. https://autologon.microsoftazuread-sso.com)
Configured Azure SSO with staged rollout for a small pilot group and tested for several weeks. Tests worked flawlessly.
On Wednesday 2nd, switched the domain to PHS (Set-MsolDomainAuthentication -Authentication Managed -DomainName contoso.com). From this point onwards, we had a lot of password reset issues!
On Thursday we enabled AAD SSO (Enable-AzureADSSO -ENable $true) for the domain (this was missed on the previous day and missing from the Microsoft documentation).
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/migrate-from-federation-to-cloud-authentication
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
From AADConnect (Invoke-ADSyncDiagnostics) and the Azure portal AD Connect, Password Hash Sync as a service seems to work fine. Most of our users can logon OK, but we have seen a 10x increase in calls to our service desk. Whilst some of this is user error, I do not believe most of it is.
The issues we've found are:
- A password change on premise can take up to 2 minutes to sync to AAD, so there's a brief time that the password isn't valid in O365, some users might try to repeatedly login or initiate another password reset via SSPR.
- For users that SSO doesn't work, there might be cached credentials in the browser that causes an invalid password attempt.
We have a higher number of password resets than normal being triggered since PHS implemenation, why is this? What can we do to further troubleshoot and mitigate?
Thanks