In Azure AD Connect version 188.8.131.52, Microsoft introduced the Selective Password Hash Synchronization feature.
Formerly, Azure AD Connect would apply Password Hash Synchronization to all objects in scope for synchronization. In Azure AD Connect version 184.108.40.206, and up, a subset of users can be specifically included or excluded to having their password hashes synchronized to Azure AD. This feature is known as selective password hash synchronization.
Five things you need to know
Selective Password Hash Synchronization sounds like a nice solution, but in reality, there are a couple of things you’ll want to know before deploying it to address your organizations’ needs:
Selective Password Hash Synchronization is available since Azure AD Connect v220.127.116.11
When your organization has been using Azure AD Connect in the past, you may or may not have enabled the Password Hash Synchronization option. In these previous versions, Password Hash Synchronization was an all or nothing setting: (hashes of) password hashes in Active Directory were synchronized to Azure AD for either all user objects in scope, or none of the user objects in scope.
You can only use the setting and configure the attribute for scoping the users for which password hash synchronization is either explicitly scoped, when all your Azure AD Connect installations run version 18.104.22.168, or above.
When a Staging Mode Azure AD Connect installation does not yet run version 22.214.171.124 or above, it will not respect the scoping. When you switch to this Staging Mode server, you might end up synchronizing (hashes of) password hashes in Active Directory for all user objects in scope.
Password Hash Synchronization is a prerequisite for Azure AD Domain Services
Password Hash Synchronization is a prerequisite for Azure AD Domain Services. When you enable Azure AD Domain Services, Azure AD Connect will start synchronizing the password hashes for user objects in scope, next to the hashes of password hashes. This way, the same passwords can be used within Azure AD Domain Services as on-premises.
Selective Password Hash Synchronization can play a role in limiting the number of password hashes synchronized, when the scope of objects needed in Azure AD Domain Services is used as a scoping mechanism.
However, as organizations lift and shift functionality from on-premises to Azure Infrastructure-as-a-Service and convert these from Active Directory on-premises to Azure AD Domain Services, eventually all user objects will need to have their password hashes synchronized.
A user object for which Selective Password Hash Synchronization prevents synchronization of the password hashes will not be usable with Azure AD Domain Services.
Selective Password Hash Synchronization has three distinct use cases for end-users
Password Hash Synchronization is managed to either one of the below settings in Azure AD Connect:
- Password Hash Synchronization is configured as the sign-in method on the Sign-in method page of the Azure AD Connect configuration wizard.
- Password Hash Synchronization is configured as an optional feature on the Optional Features page of the Azure AD Connect configuration wizard.
In the first case, you cannot use the Selective Password Hash Synchronization feature. In the second case, you can use Selective Password Hash Synchronization in two ways:
- You can use it in conjunction with the Staged Rollout feature to gradually synchronize password hashes for user objects you are converting from federation or pass-through authentication to the PHS sign-in method.
- You can use it in conjunction with converting DNS domain names from federated sign-in to PHS. Verified DNS domain names in Azure AD can be converted from federated domain to a managed domain. Per DNS domain name, corresponding to userPrincipalName suffixes when Alternate Login ID is not enabled, you can configure (hashes of) password hashes to by synchronized.
- You can use it to scope access to Azure AD Domain Services.
Eventually all user objects in scope would have (hashes of) their password hashes synchronized, so Selective Password Hash Synchronization would be postponing the inevitable.
(hashes of) password hashes or never synchronized for user objects that are not in scope for synchronization by Azure AD Connect.
Selective Password Hash Synchronization should not apply to privileged users, as Microsoft’s new recommendation is to use cloud-only privileged accounts, not synchronized privileged accounts.
Synchronized values don’t magically disappear
When you have already enabled Password Hash Synchronization for your users, don’t expect these previously synchronized values to magically disappear.
When your organization switches from a previously configured sign-in method to password hash synchronization, users may be confronted with passwords that are months or years old. The same scenario applies to re-enabling access to Azure AD Domain Services after Selective Password Hash Synchronization has been configured for specific users.