- Configure mailbox size and quota in Exchange 2016/2019 and Exchange Online - Tue, May 17 2022
- Reset OneDrive synchronization - Thu, Feb 3 2022
- Exchange 2016/2019: Install and configure Emergency Mitigation Service - Wed, Nov 10 2021
One use case for a mixed Active Directory environment is a hybrid installation of Exchange. This requires the synchronization of accounts between on-prem and the cloud. For authentication, Microsoft offers a password hash synchronization option that can often replace the complex ADFS installation.
Hash synchronization with a specific AD attribute value ^
This article is about synchronizing the password hash of specific users or user groups with the Microsoft 365 cloud. We use attribute filtering for this purpose. In our example, we synchronize all users who have the value AAD in extensionAttribut3.
We will create two user-defined rules in the Synchronization Rules Editor. The first rule replicates users including the password hash, and the second replicates the ones without. We will also disable the default rule for the password hash because we won't need it anymore.
Before we configure the new rules, we will disable the password hash synchronization in the AAD Connector.
New rule based on copy of default rule ^
In the Synchronization Rules Editor, we now look up the default password synchronization rule.
Opening the default rule for password synchronization in the Rules Editor
We create a copy of this rule by selecting it and clicking Edit. We are then prompted to create a copy of this rule.
Create a copy of the default rule for password hash synchronization
Rule for synchronizing without hashes ^
First, we create the rule for syncing accounts without the password hash. A meaningful name should reflect its purpose so that it can later be found more easily for changes. You would also have to change the priority, for example to a value of 90. This is necessary because the rules we create should be executed prior to the default rules, which start at priority 100.
The Enable Password Sync and Disabled checkboxes are not selected and should remain empty.
Create a rule for those accounts whose password hash should not be synchronized to the cloud
Under the Scoping filter, we now add another filter where we can use our extension attribute as a criterion.
The filter should ensure the value of extensionAttribute3 doesn't equal the string 'AAD'
That's all we have to change in this rule. The editor can now be closed with the Save button.
Rule for synchronizing the hashes ^
Following the same pattern, we now create the rule we need to synchronize the password hashes, but with some changes.
The priority is now 89, because this rule should run ahead of the rule we have just created. This time, we will also check the box for Enable Password Sync.
Create a rule for those accounts whose password hash should be synchronized to the cloud
In the Scoping filter dialog box, the NOTEQUAL operator becomes an EQUAL operator since the condition should now match if the value 'AAD' is contained in the attribute.
All accounts whose extensionAttribute3 contains the value 'AAD' are selected via the filter
This rule can now also be closed with Save. A notification will appear, telling you that a full sync will start during the next synchronization cycle. Just confirm it with OK.
Then you can start a full synchronization via PowerShell with the following command:
Start-ADSyncSyncCycle -PolicyType Initial
To start initial synchronization, use the Start ADSyncSyncCycle cmdlet
The process can now be monitored easily in the Synchronization Service Manager.
Monitor synchronization of password hashes in the Synchronization Service Manager
Finally, we reactivate the password hash synchronization via the AAD Connector. If a user were to change his or her password in the local domain, it could take up to five minutes to get it up to date in Microsoft 365.
The event viewer on the AAD Connect server helps troubleshooting in case error occur. Check the logs in the Application protocol and have a closer look at the events with ID 656 and 657.
To check password synchronization via PowerShell, you can use the Invoke-ADSyncDiagnostics cmdlet, which is included in AAD Connect starting from version 1.1.524.0:
Subscribe to 4sysops newsletter!
Invoke-ADSyncDiagnostics -PasswordSync
The Invoke ADSyncDiagnostics cmdlet is another tool for tracking down errors in synchronization
The complete troubleshooting description from Microsoft can be found here.
2 years ago
We use AD Connect configured with passthrough authentication for SSO and also sync the password hash solely for the purpose of breach detection. Passthrough Authentication and Password Hash Authentication are mutually exclusive so while the hashes are synchronized, they are not used for authentication purposes. We wanted to stay away from the complexities of ADFS as long as possible in our environment.
I just thought I would offer this up another alternative.