Implementing password synchronization with Azure AD Connect sync

This topic provides you with the information you need to synchronize your user passwords from an on-premises Active Directory (AD) to a cloud-based Azure Active Directory (Azure AD).

What is password synchronization

The probability that you are blocked from getting your work done due to a forgotten password is related to the number of different passwords you need to remember. The more passwords you need to remember, the higher the probability to forget one. Questions and calls about password resets and other password-related issues demand the most helpdesk resources.

Password synchronization is a feature to synchronize user passwords from an on-premises Active Directory to a cloud-based Azure Active Directory (Azure AD). This feature enables you to sign in to Azure Active Directory services (such as Office 365, Microsoft Intune, CRM Online, and Azure AD Domain Services) using the same password you are using to sign in to your on-premises Active Directory.

What is Azure AD Connect

By reducing the number of passwords your users need to maintain to just one, password synchronization helps you to:

  • Improve the productivity of your users
  • Reduce your helpdesk costs

Also, if you select to use Federation with AD FS, you can optionally enable password synchronization as a backup in case your AD FS infrastructure fails.

Password synchronization is an extension to the directory synchronization feature implemented by Azure AD Connect sync. To use password synchronization in your environment, you need to:

  • Install Azure AD Connect
  • Configure directory synchronization between your on-premises AD and your Azure Active Directory
  • Enable password synchronization

For more details, see Integrating your on-premises identities with Azure Active Directory

Note

For more details about Active Directory Domain Services that are configured for FIPS and password synchronization, see Password Sync and FIPS.

How password synchronization works

The Active Directory domain service stores passwords in form of a hash value representation of the actual user password. A hash value is a result of a one-way mathematical function (the "hashing algorithm"). There is no method to revert the result of a one-way function to the plain text version of a password. You cannot use a password hash to sign in to your on-premises network.

To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and in chronological order.

The actual data flow of the password synchronization process is similar to the synchronization of user data such as DisplayName or Email Addresses. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The password synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.

The first time, you enable the password synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords you want to synchronize.

When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes. The password synchronization feature automatically retries failed synchronization attempts. If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.

The synchronization of a password has no impact on the currently logged on user. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you are signed in to a cloud service. However, when the cloud service requires you to authenticate again, you need to provide your new password.

One caveat is that a user must enter their corporate credentials a second time to authenticate to Azure AD regardless of whether they're logged in to their corporate network. These pattern can be minimized, however, if the user checks the "Keep me signed in" (KMSI) checkbox at login. Checking this sets a session cookie that bypasses authentication for a short period. KMSI behavior can be enabled or disabled by the Azure Active Directory administrator.

Note

Password sync is only supported for the object type user in Active Directory. It is not supported for the iNetOrgPerson object type.

Detailed description of how password synchronization works

The following describes in-depth how password synchronization works between Active Directory and Azure Active Directory.

Detailed password flow

  1. Every two minutes, the password synchronization agent on the AD Connect server requests stored password hashes (the unicodePwd attribute) from a DC via the standard MS-DRSR replication protocol used to synchronize data between DCs. The service account must have Replicate Directory Changes and Replicate Directory Changes All AD permissions (granted by default on installation) to obtain the password hashes.
  2. Before sending, the DC encrypts the MD4 password hash using a key that is a MD5 hash of the RPC session key and a salt. It then sends the result to the password synchronization agent over RPC. The DC also passes the salt to the synchronization agent using the DC replication protocol, so the agent will be able to decrypt the envelope.
  3. Once the password synchronization agent has the encrypted envelope, it uses MD5CryptoServiceProviderand the salt to generate a key to decrypt the received data back to its original MD4 format. At no point does the password synchronization agent have access to the clear text password. The password synchronization agent’s use of MD5 is strictly for replication protocol compatibility with the DC, and is only used on premises between the DC and the password synchronization agent.
  4. The password synchronization agent expands the 16-byte binary password hash to 64 bytes by first converting the hash to a 32-byte hexadecimal string, then converting this string back into binary with UTF-16 encoding.
  5. The password synchronization agent adds a salt, consisting of a 10-byte length salt, to the 64-byte binary to further protect the original hash.
  6. The password synchronization agent then combines the MD4 hash plus salt and inputs it into the PBKDF2 function, using 1000 iterations of the HMAC-SHA256 keyed hashing algorithm. Azure AD
  7. The password synchronization agent takes the resulting 32-byte hash, concatenates both the salt and the number of SHA256 iterations to it (for use by Azure AD), then transmits the string from AD Connect to Azure AD over SSL.
  8. When a user attempts to login to Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.
Note

The original MD4 hash is not transmitted to Azure AD; rather, the SHA256 hash of the original MD4 hash is transmitted. As a result, if the hash stored in Azure AD is obtained it cannot be used in an on-premises pass-the-hash attack.

How password synchronization works with Azure AD Domain Services

You can also use the password synchronization feature to synchronize your on-premises passwords to the Azure AD Domain Services. This scenario allows the Azure AD Domain Services to authenticate your users in the cloud with all the methods available in your on-premises AD. The experience of this scenario is similar to using the Active Directory Migration Tool (ADMT) in an on-premises environment.

Security considerations

When synchronizing passwords, the plain-text version of your password is not exposed to the password synchronization feature, to Azure AD, or any of the associated services.

User authentication takes place against Azure AD rather than against the organization's own Active Directory. If your organization has concerns about password data in any form leaving the premises, consider the fact that the SHA256 password data stored in Azure AD - a hash of the original MD4 hash - is significantly more secure than what is stored in Active Directory. Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack.

Password policy considerations

There are two types of password policies that are affected by enabling password synchronization:

  1. Password Complexity Policy
  2. Password Expiration Policy

Password complexity policy
When you enable password synchronization, the password complexity policies in your on-premises Active Directory override complexity policies in the cloud for synchronized users. You can use all valid passwords of your on-premises Active Directory to access Azure AD services.

Note

Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

Password expiration policy
If a user is in the scope of password synchronization, the cloud account password is set to "Never Expire".

You can continue to sign in to your cloud services using a synchronized password that has been expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.

Account expiration If your organization uses the accountExpires attribute as part of user account management, be aware that this attribute is not synchronized to Azure AD. As a result, an expired AD account in an environment configured for password synchronization will still be active in Azure AD. It is recommended that if the account is expired, a workflow action should trigger a PowerShell script that disables the user's Azure AD account. Conversely, when the account is enabled, the Azure AD should be enabled.

Overwriting synchronized passwords

An administrator can manually reset your password using Windows PowerShell.

In this case, the new password overrides your synchronized password and all password policies defined in the cloud are applied to the new password.

If you change your on-premises password again, the new password is synchronized to the cloud, and overrides the manually updated password.

The synchronization of a password has no impact on the currently logged on Azure user. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you are signed in to a cloud service. KMSI will extend the duration of this difference. When the cloud service requires you to authenticate again, you need to provide your new password.

Additional Advantages

  • Generally, password synchronization is simpler to implement than a federation service. It does not require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
  • Password synchronization can also be enabled in addition to federation so it may be used as a fallback if your federation service experiences an outage.

Enabling password synchronization

Password synchronization is automatically enabled, when you install Azure AD Connect using the Express Settings. For more details, see Getting started with Azure AD Connect using express settings.

If you use custom settings when you install Azure AD Connect, you enable password synchronization on the user sign-in page. For more details, see Custom installation of Azure AD Connect.

Enabling password synchronization

Password synchronization and FIPS

If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 has been disabled.

To enable MD5 for password synchronization, perform the following steps:

  1. Go to %programfiles%\Azure AD Sync\Bin.
  2. Open miiserver.exe.config.
  3. Go to the configuration/runtime node (at the end of the file).
  4. Add the following node: <enforceFIPSPolicy enabled="false"/>
  5. Save your changes.

For reference, this snip is how it should look like:

    <configuration>
        <runtime>
            <enforceFIPSPolicy enabled="false"/>
        </runtime>
    </configuration>

For information about security and FIPS see AAD Password Sync, Encryption and FIPS compliance

Troubleshooting password synchronization

If you have problems with password synchronization, then see Troubleshoot password synchronization.

Next steps