Disable weak ciphers and password hash synchronization to secure an Azure Active Directory Domain Services managed domain
By default, Azure Active Directory Domain Services (Azure AD DS) enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. If you have on-premises hybrid connectivity using Azure AD Connect, you can also disable the synchronization of NTLM password hashes.
This article shows you how to disable NTLM v1 and TLS v1 ciphers and disable NTLM password hash synchronization.
Prerequisites
To complete this article, you need the following resources:
- An active Azure subscription.
- If you don't have an Azure subscription, create an account.
- An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
- Install and configure Azure PowerShell.
- If needed, follow the instructions to install the Azure PowerShell module and connect to your Azure subscription.
- Make sure that you sign in to your Azure subscription using the Connect-AzAccount cmdlet.
- Install and configure Azure AD PowerShell.
- If needed, follow the instructions to install the Azure AD PowerShell module and connect to Azure AD.
- Make sure that you sign in to your Azure AD tenant using the Connect-AzureAD cmdlet.
Disable weak ciphers and NTLM password hash sync
To disable weak cipher suites and NTLM credential hash synchronization, sign in to your Azure account, then get the Azure AD DS resource using the Get-AzResource cmdlet:
Tip
If you receive an error using the Get-AzResource command that the Microsoft.AAD/DomainServices resource doesn't exist, elevate your access to manage all Azure subscriptions and management groups.
Login-AzAccount
$DomainServicesResource = Get-AzResource -ResourceType "Microsoft.AAD/DomainServices"
Next, define DomainSecuritySettings to configure the following security options:
- Disable NTLM v1 support.
- Disable the synchronization of NTLM password hashes from your on-premises AD.
- Disable TLS v1.
Important
Users and service accounts can't perform LDAP simple binds if you disable NTLM password hash synchronization in the Azure AD DS managed domain. If you need to perform LDAP simple binds, don't set the "SyncNtlmPasswords"="Disabled"; security configuration option in the following command.
$securitySettings = @{"DomainSecuritySettings"=@{"NtlmV1"="Disabled";"SyncNtlmPasswords"="Disabled";"TlsV1"="Disabled"}}
Finally, apply the defined security settings to the managed domain using the Set-AzResource cmdlet. Specify the Azure AD DS resource from the first step, and the security settings from the previous step.
Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $securitySettings -Verbose -Force
It takes a few moments for the security settings to be applied to the managed domain.
Important
After you disable NTLM, perform a full password hash synchronization in Azure AD Connect to remove all the password hashes from the managed domain. If you disable NTLM but don't force a password hash sync, NTLM password hashes for a user account are only removed on the next password change. This behavior could allow a user to continue to sign in if they have cached credentials on a system where NTLM is used as the authentication method.
Once the NTLM password hash is different from the Kerberos password hash, fallback to NTLM won't work. Cached credentials also no longer work if the VM has connectivity to the managed domain controller.
Next steps
To learn more about the synchronization process, see How objects and credentials are synchronized in a managed domain.