If organizations do not want to transfer their password hashes to the cloud in a hybrid AD configuration, they can use ADFS for authentication. A compromise with less overhead would be to sync the passwords only of selected users with AAD Connect.

One use case for a mixed Active Directory environment is a hybrid installation of Exchange. This requires the synchronization of accounts between on-prem and the cloud. For authentication, Microsoft offers a password hash synchronization option that can often replace the complex ADFS installation.

Hash synchronization with a specific AD attribute value ^

This article is about synchronizing the password hash of specific users or user groups with the Microsoft 365 cloud. We use attribute filtering for this purpose. In our example, we synchronize all users who have the value AAD in extensionAttribut3.

We will create two user-defined rules in the Synchronization Rules Editor. The first rule replicates users including the password hash, and the second replicates the ones without. We will also disable the default rule for the password hash because we won't need it anymore.

Before we configure the new rules, we will disable the password hash synchronization in the AAD Connector.

New rule based on copy of default rule ^

In the Synchronization Rules Editor, we now look up the default password synchronization rule.

Opening the default rule for password synchronization in the Rules Editor

Opening the default rule for password synchronization in the Rules Editor

We create a copy of this rule by selecting it and clicking Edit. We are then prompted to create a copy of this rule.

Create a copy of the default rule for password hash synchronization

Create a copy of the default rule for password hash synchronization

Rule for synchronizing without hashes ^

First, we create the rule for syncing accounts without the password hash. A meaningful name should reflect its purpose so that it can later be found more easily for changes. You would also have to change the priority, for example to a value of 90. This is necessary because the rules we create should be executed prior to the default rules, which start at priority 100.

The Enable Password Sync and Disabled checkboxes are not selected and should remain empty.

Create a rule for those accounts whose password hash should not be synchronized to the cloud

Create a rule for those accounts whose password hash should not be synchronized to the cloud

Under the Scoping filter, we now add another filter where we can use our extension attribute as a criterion.

The filter should ensure the value of extensionAttribute3 doesn't equal the string 'AAD'

The filter should ensure the value of extensionAttribute3 doesn't equal the string 'AAD'

That's all we have to change in this rule. The editor can now be closed with the Save button.

Rule for synchronizing the hashes ^

Following the same pattern, we now create the rule we need to synchronize the password hashes, but with some changes.

The priority is now 89, because this rule should run ahead of the rule we have just created. This time, we will also check the box for Enable Password Sync.

Create a rule for those accounts whose password hash should be synchronized to the cloud

Create a rule for those accounts whose password hash should be synchronized to the cloud

In the Scoping filter dialog box, the NOTEQUAL operator becomes an EQUAL operator since the condition should now match if the value 'AAD' is contained in the attribute.

All accounts whose extensionAttribute3 contains the value 'AAD' are selected via the filter

All accounts whose extensionAttribute3 contains the value 'AAD' are selected via the filter

This rule can now also be closed with Save. A notification will appear, telling you that a full sync will start during the next synchronization cycle. Just confirm it with OK.

Then you can start a full synchronization via PowerShell with the following command:

Start-ADSyncSyncCycle -PolicyType Initial
To start initial synchronization, use the Start ADSyncSyncCycle cmdlet

To start initial synchronization, use the Start ADSyncSyncCycle cmdlet

The process can now be monitored easily in the Synchronization Service Manager.

Monitor synchronization of password hashes in the Synchronization Service Manager

Monitor synchronization of password hashes in the Synchronization Service Manager

Finally, we reactivate the password hash synchronization via the AAD Connector. If a user were to change his or her password in the local domain, it could take up to five minutes to get it up to date in Microsoft 365.

The event viewer on the AAD Connect server helps troubleshooting in case error occur. Check the logs in the Application protocol and have a closer look at the events with ID 656 and 657.

To check password synchronization via PowerShell, you can use the Invoke-ADSyncDiagnostics cmdlet, which is included in AAD Connect starting from version 1.1.524.0:

Subscribe to 4sysops newsletter!

Invoke-ADSyncDiagnostics -PasswordSync
The Invoke ADSyncDiagnostics cmdlet is another tool for tracking down errors in synchronization

The Invoke ADSyncDiagnostics cmdlet is another tool for tracking down errors in synchronization

The complete troubleshooting description from Microsoft can be found here.

+2
avatar
1 Comment
  1. We use AD Connect configured with passthrough authentication for SSO and also sync the password hash solely for the purpose of breach detection.  Passthrough Authentication and Password Hash Authentication are mutually exclusive so while the hashes are synchronized, they are not used for authentication purposes.  We wanted to stay away from the complexities of ADFS as long as possible in our environment.

    I just thought I would offer this up another alternative.

    +2

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account