You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,6 +37,11 @@ Your current cloud service session is not immediately affected by a synchronized
37
37
38
38
A user must enter their corporate credentials a second time to authenticate to Azure AD, regardless of whether they're signed in to their corporate network. This pattern can be minimized, however, if the user selects the Keep me signed in (KMSI) check box at sign-in. This selection sets a session cookie that bypasses authentication for 180 days. KMSI behavior can be enabled or disabled by the Azure AD administrator. In addition, you can reduce password prompts by configuring [Azure AD join](../devices/concept-azure-ad-join.md) or [Hybrid Azure AD join](../devices/concept-azure-ad-join-hybrid.md), which automatically signs users in when they are on their corporate devices connected to your corporate network.
39
39
40
+
### Additional advantages
41
+
42
+
- Generally, password hash synchronization is simpler to implement than a federation service. It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
43
+
- Password hash synchronization can also be enabled in addition to federation. It may be used as a fallback if your federation service experiences an outage.
44
+
40
45
> [!NOTE]
41
46
> Password sync is only supported for the object type user in Active Directory. It is not supported for the iNetOrgPerson object type.
42
47
@@ -142,6 +147,8 @@ To support temporary passwords in Azure AD for synchronized users, you can enabl
142
147
> Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.
143
148
>
144
149
> If the user has the option "Password never expires" set in Active Directory (AD), the force password change flag will not be set in Active Directory (AD), so the user will not be prompted to change the password during the next sign-in.
150
+
>
151
+
> A new user created in Active Directory with "User must change password at next logon" flag will always be provisioned in Azure AD with a password policy to "Force change password on next sign-in", irrespective of the *ForcePasswordChangeOnLogOn* feature being true or false. This is an Azure AD internal logic since the new user is provisioned without a password, whereas *ForcePasswordChangeOnLogOn* feature only affects admin password reset scenarios.
145
152
146
153
> [!CAUTION]
147
154
> You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.
@@ -152,19 +159,14 @@ If your organization uses the accountExpires attribute as part of user account m
152
159
153
160
### Overwrite synchronized passwords
154
161
155
-
An administrator can manually reset your password by using Windows PowerShell.
162
+
An administrator can manually reset your password directly in Azure AD by using Windows PowerShell (unless the user is in a Federated Domain).
156
163
157
164
In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.
158
165
159
166
If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.
160
167
161
168
The synchronization of a password has no impact on the Azure user who is signed in. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI extends the duration of this difference. When the cloud service requires you to authenticate again, you need to provide your new password.
162
169
163
-
### Additional advantages
164
-
165
-
- Generally, password hash synchronization is simpler to implement than a federation service. It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
166
-
- Password hash synchronization can also be enabled in addition to federation. It may be used as a fallback if your federation service experiences an outage.
167
-
168
170
## Password hash sync process for Azure AD Domain Services
169
171
170
172
If you use Azure AD Domain Services to provide legacy authentication for applications and services that need to use Kerberos, LDAP, or NTLM, some additional processes are part of the password hash synchronization flow. Azure AD Connect uses the additional following process to synchronize password hashes to Azure AD for use in Azure AD Domain Services:
0 commit comments