- Configure mailbox size and quota in Exchange 2016/2019 and Exchange Online - Tue, May 17 2022
- Reset OneDrive synchronization - Thu, Feb 3 2022
- Exchange 2016/2019: Install and configure Emergency Mitigation Service - Wed, Nov 10 2021
One use case for a mixed Active Directory environment is a hybrid installation of Exchange. This requires the synchronization of accounts between on-prem and the cloud. For authentication, Microsoft offers a password hash synchronization option that can often replace the complex ADFS installation.
Hash synchronization with a specific AD attribute value ^
This article is about synchronizing the password hash of specific users or user groups with the Microsoft 365 cloud. We use attribute filtering for this purpose. In our example, we synchronize all users who have the value AAD in extensionAttribut3.
We will create two user-defined rules in the Synchronization Rules Editor. The first rule replicates users including the password hash, and the second replicates the ones without. We will also disable the default rule for the password hash because we won't need it anymore.
Before we configure the new rules, we will disable the password hash synchronization in the AAD Connector.
New rule based on copy of default rule ^
In the Synchronization Rules Editor, we now look up the default password synchronization rule.
We create a copy of this rule by selecting it and clicking Edit. We are then prompted to create a copy of this rule.
Rule for synchronizing without hashes ^
First, we create the rule for syncing accounts without the password hash. A meaningful name should reflect its purpose so that it can later be found more easily for changes. You would also have to change the priority, for example to a value of 90. This is necessary because the rules we create should be executed prior to the default rules, which start at priority 100.
The Enable Password Sync and Disabled checkboxes are not selected and should remain empty.
Under the Scoping filter, we now add another filter where we can use our extension attribute as a criterion.
That's all we have to change in this rule. The editor can now be closed with the Save button.
Rule for synchronizing the hashes ^
Following the same pattern, we now create the rule we need to synchronize the password hashes, but with some changes.
The priority is now 89, because this rule should run ahead of the rule we have just created. This time, we will also check the box for Enable Password Sync.
In the Scoping filter dialog box, the NOTEQUAL operator becomes an EQUAL operator since the condition should now match if the value 'AAD' is contained in the attribute.
This rule can now also be closed with Save. A notification will appear, telling you that a full sync will start during the next synchronization cycle. Just confirm it with OK.
Then you can start a full synchronization via PowerShell with the following command:
Start-ADSyncSyncCycle -PolicyType Initial
The process can now be monitored easily in the Synchronization Service Manager.
Finally, we reactivate the password hash synchronization via the AAD Connector. If a user were to change his or her password in the local domain, it could take up to five minutes to get it up to date in Microsoft 365.
The event viewer on the AAD Connect server helps troubleshooting in case error occur. Check the logs in the Application protocol and have a closer look at the events with ID 656 and 657.
To check password synchronization via PowerShell, you can use the Invoke-ADSyncDiagnostics cmdlet, which is included in AAD Connect starting from version 1.1.524.0:
Subscribe to 4sysops newsletter!
Invoke-ADSyncDiagnostics -PasswordSync
The complete troubleshooting description from Microsoft can be found here.
2 years ago
We use AD Connect configured with passthrough authentication for SSO and also sync the password hash solely for the purpose of breach detection. Passthrough Authentication and Password Hash Authentication are mutually exclusive so while the hashes are synchronized, they are not used for authentication purposes. We wanted to stay away from the complexities of ADFS as long as possible in our environment.
I just thought I would offer this up another alternative.