question

RST-1727 avatar image
0 Votes"
RST-1727 asked HeinigerThomasCloudAdmin-5993 commented

Password Has Removal from Azure AD

Hi Team,

If I disable PHS in AADC server, does it remove all the password hashes (already synched) from Azure AD or the hash still there even though not using it?

I am testing PHS with staged rollout and if I wanted to rollback, need to ensure hash also gets purged from AAD, and how do we validate its actually purged.

Thank in advance Team!

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RST-1727
Thank you for your post!

When it comes to Password hash, the SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. Because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack. Additionally, with PHS you get access to the Leaked Credentials service where user's credentials are checked against Azure AD users' current valid credentials to find valid matches.

For purging the hashes, is there a reason you're looking to verify this? Even when the SHA-256 hash that is stored can't be decrypted or used within your organizations Active Directory for authentication/authorization?


Thank you for your time.

0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered AndyDavid edited

The only way would probably be to remove and purge any of the Azure Accounts you staged the roll-out with.
If that is not possible, then change their passwords after the rollback and it wont matter.

Regardless, I would not be concerned, honestly. Those hashes cant be used other than in Azure - for those accounts.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RST-1727 avatar image
0 Votes"
RST-1727 answered HeinigerThomasCloudAdmin-5993 commented

Thank you JamesTran-MSFT & AndyDavid -I guess thats the only option as the hash can't be used furhters other than Azure AD.

Quick check though I have selected users in the staged roll out, the password synch applies to all the users defined in AADConnect scope, and their password hash will be reamin in Azure AD, is it

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We deployed PHS for dedicated Users in our Tenant, based on federated-Authentity and ADConnect.
After removing Users from PHS-Sync, Password-Remains in Azure, and we are still able to Signin.
Change the On-Prem Password has not effect, because the user is not anymore PHS-Enabled.
In this case, we found no way to destory the Azure-AD PHS, and it remains there.
We would like to know, how we can clear the PHS-Entry in Azure, to prevent login directly to Azure.

0 Votes 0 ·