Active Directory & Office 365 Reporting Tool

Password Hash Synchronization in Azure AD Connect. Password hash synchronization is a feature provided by Azure AD Connect that enables the synchronization of user password hashes from an on-premises Active Directory (AD) environment to the Azure AD cloud. As a result, organizations maintain a hybrid identity infrastructure by synchronizing password hashes rather than actual passwords while enhancing security. This article delves into its internal mechanisms to equip admins and security experts with the necessary understanding to effectively implement and manage the vital security feature of password hash synchronization with Azure AD Connect.

This article explores the benefits offered by this feature, considerations to keep in mind during deployment, and provide insights into the synchronization process. By examining these aspects, readers gain the knowledge required to successfully leverage password hash synchronization to bolster security measures within their organization.

How Password Hash Synchronization Works with Azure AD Connect

Now that businesses are adopting cloud computing as part of their business model, a large percentage are choosing to connect their on-premises Active Directory (AD) environment to its counterpart in the cloud, Microsoft’s Azure Active Directory. When we extend our on-premises AD to Azure AD, we have 2 choices for how we want on-premises users to authenticate to the cloud service: identity federation and direct authentication with Azure AD. Though direct authentication is the simplest method of the 2, it requires enabling a feature known as password hash synchronization (or simply Password Hash Sync). 

Password hash sync is a poorly understood feature that deserves more explanation. Microsoft offers two ways to handle authentication to Azure AD: Identity Federation or Direct Authentication using Azure AD itself. Identity federation with a federation service (FS) such as AD FS provides single sign-on to Azure AD by redirecting users from the cloud service back to their local AD for authentication.

The other option, direct authentication in Azure AD, requires the user’s user and password to be stored locally in the cloud service. As system admins, we must do this for enterprises with the password hash sync feature of Microsoft’s AD Connect service; no third party provides an equivalent capability.

Password Hash Sync Overview

At its simplest, password hash sync (PHS) copies the user’s password from AD to Azure AD every 2 minutes. Password hash sync allows users to log in to Azure AD with the same user and password they use for their AD login. Microsoft calls this pattern the single sign-on.

However, it’s distinct from single sign-on because, with password hash sync, we prompt users to log in to Azure AD in addition to any corporate login they’ve done. Mainly because it’s simpler to implement than a federation service. Microsoft needed to provide an easy way to integrate on-premises AD users with Azure AD. Password hash sync does this without needing multiple servers, a highly available federation service.

And the more straightforward solution has proved famous; about 50% of organizations that synchronize with Azure AD use password hash sync. Of that 50%, half are small and medium-sized organizations. All in all, it provides a smooth path for these organizations to move to a cloud-first or cloud-only IT infrastructure because users are already authenticating directly with the Azure AD service.

Another advantage of password hash sync is that, unlike federation, it doesn’t depend upon an external federation service to process authentications. In addition, Microsoft offers password hash sync in addition to the federation, which is used as a fallback if our federation service has an outage.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Password Hash Sync Security

Note that we describe this feature as password hash sync – not password hash sync, as the 2 concepts are different and have some distinctions. For example, Microsoft doesn’t synchronize the cleartext passwords between AD DS and Azure AD. Because AD does not contain cleartext passwords, it is not a bad idea but also technically impossible.

When a user creates or updates their password in AD, our system stores a one-way MD5 hash on the domain’s DCs. This hash is synchronized to Azure AD and stored in the service’s credentials store.

Steps for Securing Password Hash Sync

The following section outlines the essential steps for achieving AAD Password Hash Sync, encryption, and FIPS (Federal Information Processing Standards) compliance to ensure a secure and compliant user authentication process:

Step 1

The system stores user passwords as a non-reversible hash in Windows Server Active Directory Domain Controllers (DCs). When the password hash sync agent on AD Connect attempts to synchronize the password hash, the DC encrypts the hash. The system performs the encryption with a key derived from the RPC session key by salting it. The key derivation is as follows:

					[where SaltedEncryptionKey = MD5 (RPC session Key, 128-bit random salt)]
Step 2

2. The original password hash is replicated (using the DC replication protocol) from the DC to the Password Hash Sync Agent.

Step 3

The Password Hash Sync Agent decrypts the encrypted hash by deriving the above key. The password hash sync agent uses MD5 to perform the key derivation, as the derivation has to be identical to the derivation the DC performed (when it encrypted the data). And MD5 is the highest level available for this action in the DC replication protocol of existing Windows Server Active Directory deployments

Step 4

Once the system finishes the decryption, the sync agent takes the resulting original password hash and re-hashes it to a SHA256 hash using the PKDF2 key derivation algorithm defined in RFC 2898.

Step 5

The Password Hash Sync Agent then syncs that SHA256 hashed password hash over the wire (an encrypted Service Bus relay dedicated to the Azure AD tenant) to Azure AD.

Step 6

Once the SHA256 hashed copy of the original password hash reaches Azure AD, Azure AD encrypts the hash with the AES algorithm before storing it in the cloud database

The only thing that crosses the wire on the way to Azure AD is a SHA256-hashed copy of the original password hash. This process happens because the password hash sync agent’s use of MD5 is strictly for replication protocol compatibility with the DC, and we only use the on-premises between the DC and the password hash sync agent.

Advantages of Password Hash Sync

There is one use case when we must use password hash sync: if we choose to implement Azure AD Domain Services. This feature creates a domain controller as a service that Azure applications (such as VMs running AD-dependent applications) use. For these DCs to be functionally equivalent to on-premises DCs, however, they must have user password hashes and thus require password hash sync to get them into Azure.

Password hash sync is a popular solution for integrating our on-premises identities with Azure AD. It’s more elegant than using identity federation, but it’s simpler. As with any design decision, be sure we have thought through this solution’s strengths and weaknesses and how they apply to our situation.

Disadvantages of Password Hash Sync

From a user’s viewpoint, the most obvious disadvantage is that the user must enter their corporate credentials a second time regardless of whether multiple users are logged in to their corporate network or outside of a public network. However, we reduce the logins by checking the Keep me signed in (KMSI) checkbox. Unfortunately, checking this sets a session cookie that bypasses authentication for a short period. Our security team want to weigh in on this, and the Azure AD admin allows or prevents the KMSI behavior.

From the identity professional’s viewpoint, the problem with password hash sync is that we are distributing passwords to more than one place for authentication. In contrast, the federation redirects all authentication requests to the identity provider. Although Microsoft has taken considerable care to ensure the process is secure, concerns regarding the password’s lifetime are legitimate.

Password Hash Synchronization in Azure AD Connect Conclusion

In conclusion, understanding how password hash synchronization works with Azure AD Connect is vital for organizations aiming to enhance security and streamline user authentication. By leveraging this feature, businesses securely synchronize password hashes from on-premises Active Directory to Azure AD, maintaining a hybrid identity infrastructure. Furthermore, with the knowledge gained from this article regarding the steps for AAD Password Sync, encryption, and FIPS compliance, admins and security professionals implement robust security measures to protect sensitive user credentials, ensuring a safe and seamless user experience in today’s digital landscape.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *