You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,6 +37,11 @@ Your current cloud service session is not immediately affected by a synchronized
37
37
38
38
A user must enter their corporate credentials a second time to authenticate to Azure AD, regardless of whether they're signed in to their corporate network. This pattern can be minimized, however, if the user selects the Keep me signed in (KMSI) check box at sign-in. This selection sets a session cookie that bypasses authentication for 180 days. KMSI behavior can be enabled or disabled by the Azure AD administrator. In addition, you can reduce password prompts by configuring [Azure AD join](../devices/concept-azure-ad-join.md) or [Hybrid Azure AD join](../devices/concept-azure-ad-join-hybrid.md), which automatically signs users in when they are on their corporate devices connected to your corporate network.
39
39
40
+
### Additional advantages
41
+
42
+
- Generally, password hash synchronization is simpler to implement than a federation service. It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
43
+
- Password hash synchronization can also be enabled in addition to federation. It may be used as a fallback if your federation service experiences an outage.
44
+
40
45
> [!NOTE]
41
46
> Password sync is only supported for the object type user in Active Directory. It is not supported for the iNetOrgPerson object type.
42
47
@@ -152,19 +157,14 @@ If your organization uses the accountExpires attribute as part of user account m
152
157
153
158
### Overwrite synchronized passwords
154
159
155
-
An administrator can manually reset your password by using Windows PowerShell.
160
+
An administrator can manually reset your password directly in Azure AD by using Windows PowerShell (unless the user is in a Federated Domain).
156
161
157
162
In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.
158
163
159
164
If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.
160
165
161
166
The synchronization of a password has no impact on the Azure user who is signed in. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI extends the duration of this difference. When the cloud service requires you to authenticate again, you need to provide your new password.
162
167
163
-
### Additional advantages
164
-
165
-
- Generally, password hash synchronization is simpler to implement than a federation service. It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
166
-
- Password hash synchronization can also be enabled in addition to federation. It may be used as a fallback if your federation service experiences an outage.
167
-
168
168
## Password hash sync process for Azure AD Domain Services
169
169
170
170
If you use Azure AD Domain Services to provide legacy authentication for applications and services that need to use Kerberos, LDAP, or NTLM, some additional processes are part of the password hash synchronization flow. Azure AD Connect uses the additional following process to synchronize password hashes to Azure AD for use in Azure AD Domain Services:
0 commit comments