In version 1.0.6385.12 of the Windows Azure Directory Synchronization tool (or DirSync for short) Microsoft introduced the ability for administrators to synchronize password(hashe)s to Azure Active Directory. I’ve blogged about the DirSync tool in the past, when the 32bit tool was deprecated, and today, with the Password Sync functionality, I feel I have good reason to blog about this tool again.
I’ve been talking to (potential) customers, colleagues and experts (the latter two groups overlap a little, luckily) and I have made the following list of topics to mention to CIOs and Identity / Active Directory admins, when they mention the Password Sync is the best feature in DirSync since sliced bread:
1. Password Sync is a one-way synchronization
DirSync’s Password Sync allows you to synchronize passwords from the on-premises Active Directory environment to the Azure Active Directory (AAD), allowing your colleagues to log on to AAD-enabled services (like Office 365), even when your on-premises Active Directory Domain Services and/or Active Directory Federation Services environment is unavailable.
DirSync’s Password Sync synchronizes password hashes to Azure Active Directory and overwrites the password hashes in Azure Active Directory when a password is changed or reset. To circumvent problems with synchronization, password(hashe)s in Azure Active Directory are set to never expire.
It’s true that DirSync’s Password Sync functionality remedies the Single Point of Failure aspects of the internet connection. However, when you synchronize passwords to Azure Active Directory, Azure Active Directory, effectively, becomes the Identity Provider (IdP) for your colleagues.
During the time the on-premises Active Directory Domain Services and/or Active Directory Federation Services environment is unavailable, colleagues can log on and passwords in the Azure Active Directory don’t expire. This creates scenarios for (distributed) Denial of Service attacks. Your password policies will no longer apply.
In this scenario it’s good to know that the Office 365 administrator can reset passwords in Azure Active Directory through PowerShell with Set-MsolUserPassword.
2. Users will not be able to change their password online
Since DirSync’s Password Sync is a one-way synchronization, colleagues will not be able to change their passwords in the interfaces of Azure Active Directory-enabled services. Even though they can, this will break the link between the passwords. The password will only be overwritten when the password is changed on-premises or reset by an admin or helpdesk employee.
To work around this limitation a web-accessible self-service password reset method might need to be made available to colleagues. ForeFront Identity Manager is a product that delivers in this area, as well as SysOp Tools’ Password Reset Pro.
3. Password changes do not apply immediately
since DirSync’s Password Sync relies on synchronization, changes are not immediate. Changes in accounts and attributes will be synchronized in a matter or hours. The synchronization service polls the on-premises Active Directory about every 2 minutes for password updates. Additionally, processor load (to create the hash), network lag (to transfer the hash), etc. might further delay the password synchronization.
It’s highly unlikely that you can help a colleague with a password reset on the telephone in one go.
4. Password Sync does not offer single sign-on
Although DirSync’s Password Sync offers a single set of credentials, it does not offer Single Sign-On (SSO). When a colleague access an Azure Active Directory-enabled service with Password Sync enabled, the colleague is prompted for credentials.
Single Sign-On with Azure Active Directory-enabled services is only available when you combine DirSync with Active Directory Federation Services (ADFS).
5. Password Sync does not offer Multi-Factor Auth
Another thing that you get when you use DirSync with Active Directory Federation Services (ADFS) and thus remain the Identity Provider (IdP) for your colleagues, is the ability to use multi-factor authentication (MFA).
Microsoft offers multi-factor authentication with the Active Authentication Feature, but:
- The Active Authentication feature is only available for Azure Active Directory-only (or online-only) accounts and thus cannot be used in the DirSync scenarios with either Password Sync or Active Directory Federation Services (ADFS)
- While Azure Active Directory (AAD) is free, Active Authentication is not.
TechNet Wiki – Windows Azure Active Directory Sync tool – Version Release History
TechNet Forums – DirSync with Password Sync
TechNet Forums – Multi-Factor Authentication for your Azure Active Directory Users
TechNet Library – Implement Password Synchronization
TechNet Library – What is Windows Azure Active Authentication
TechNet Library – Using multi-factor authentication with Windows Azure AD
New Azure Active Directory Sync tool with Password Sync is now available
Office 365 Evangelist – DirSync with Password Sync Update
Office 365 Evangelist – Two-Factor/Dual Authentication Update – DirSync Users now working
DirSync with Password Sync is now Available!
The cloud Moth – DirSync with password sync now available
Windows Azure Active Authentication: Multi-Factor for Security and Compliance
Introducing Multi-Factor Authentication on Windows Azure
Microsoft Previews Multi-Factor Authentication for Azure
Microsoft adds two-factor authentication to Windows Azure
Microsoft secures Azure cloud services with multi-factor authentication
Password sync is now available for Office 365 (DirSync with password sync feature)
Office 365 DirSync Password Synchronization
How Secure is DirSync with Password Synchronisation?
How to stop Dirsync from breaking after 90 days ( password expiry )