DirSync: Password Sync Frequently Asked Questions

DirSync: Password Sync Frequently Asked Questions

For feedback, click here



Good starter resources for Password Sync

To start, here are a couple resources that may help you understand and deploy Password Sync:

  1. How do I set up DirSync?
  2. DirSync: How To Switch From Single Sign-On To Password Sync

↑ Back to top


Does this feature work for both Office 365 and Windows Azure Active Directory?

Yes. This feature works for both Office 365 and Windows Azure Active Directory.

↑ Back to top


What are the differences/similarities between Office 365 and Azure AD? Do I need to set up DirSync and Password Sync for both?

This is a great question.  We sometimes refer to Office 365, and other times refer to Windows Azure Active Directory (or just Azure AD).  So what's the difference?

Windows Azure Active Directory (Azure AD) is the directory behind Office 365.  Just like your on-premises Active Directory stores the information for Exchange, SharePoint, Lync and your custom LOB Apps, Azure AD stores the information for Exchange Online, SharePoint Online, Lync Online and any custom applications you build in our cloud!

So when you set up DirSync for your Office 365 tenant, you've actually set up DirSync with your Azure AD tenant. And because Office 365 is built on Azure AD, Office 365 (and all our other Online Services such as InTune, CRM Online, etc.) benefit from this setup. The same holds true for Password Sync and ADFS.

↑ Back to top


Is this feature just PCNS integrated into DirSync?

No. This new Password Sync feature is not based on PCNS. PCNS relies on the deployment of Password Filters on all of your Domain Controllers to intercept password change events.  This new Password Sync feature integrates directly with Active Directory and retrieves updated passwords in the form of a password hash.  This password hash is subsequently re-hashed before we sync it to Windows Azure Active Directory.

↑ Back to top


Are my user passwords safe?  How secure is this new Password Sync? 

Yes. The information we retrieve from Active Directory aren't your users actual plaintext passwords - they're hashes of those passwords.  Hashes are mathematical functions that are nearly impossible to crack.  The hashes that we retrieve from AD cannot be used to gain access to any of your on-premises resources (Active Directory won't accept the password hash as a means to log a user in).

Here are some additional details to help you feel comfortable with the security of Password Sync:

  • we never see your plaintext password during the sync process.  Ever.  We only retrieve the hash of the user password from Active Directory. 
  • we re-hash the hash of the user password using a SHA256 algorithm before transport to Azure Active Directory Authentication Service
  • transport of the digest (re-hash of the AD password hash) is done over an encrypted SSL session
  • we store the digest in our system

↑ Back to top


Can I control which passwords synchronize to the cloud?

There are two parts to the answer:

  1. We only synchronize passwords for those user objects that are DirSync'ing.

    See Configure filtering for directory synchronization for more information on how you can configure filtering for DirSync.
  2. You cannot specify additional filters to (1) above to control which users have their passwords synchronized to the cloud.

↑ Back to top


How can I trigger a full password sync?

A full Password Sync, and a full Directory Sync are two distinct activities.  A full password sync will synchronize password hashes for all DirSync'ing users.  A full Directory Sync does not trigger a full password sync.  By default, the only activity that will trigger a full password sync is completing the Windows Azure Active Directory Sync tool Configuration Wizard.


You must have Directory Sync tool version 6438.0003 or greater installed in order to perform the process below.


To trigger a full password sync, perform the following steps:

  1. Open PowerShell, and then type Import-Module DirSync
  2. Type Set-FullPasswordSync, and then press Enter
  3. Load Services.msc
  4. Restart the Forefront Identity Manager Synchronization Service Service.

Once this is complete, you should see a series of EventId=656 (Password Sync Requests) and EventId=657 (Password Sync Results) indicating that your full password sync has kicked off.

↑ Back to top


Can I use Password Sync and Single Sign-On at the same time?

This depends on what you mean by "at the same time".  You can synchronize passwords for a user that is currently federated.
However, their login will still happen against your on-premises STS (ADFS or 3rd party STS).
If your on-premises STS becomes unavailable, you may temporarily switch to enable your users to sign-in with sync'd passwords.
The process for accomplishing this can be found in this article.
You may have some set of namespaces / domains configured for Single Sign-On and also have enabled the Password Sync feature of DirSync.

↑ Back to top


Can I switch from using Single Sign-On/Federated Authentication to use Password Sync?

Yes. You can switch either individual users or else entire namespaces from Federated Authentication to Password Sync. 
You can also temporarily switch from SSO to use synchronized passwords if your on-premises STS becomes unavailable.
This allows you to resolve the issue then switch back to Federated logins.

Please see this wiki post for information on how this can be done: How To Switch From Single Sign-On To Password Sync.

↑ Back to top


How can I determine if Password Sync is enabled on an existing installation?

If Password Sync is enabled, you can watch it work by monitoring activity application log.  
Additionally, there is a script available here, which definitively states whether or not the feature is enabled.

↑ Back to top


See Also

↑ Back to top


Sort by: Published Date | Most Recent | Most Useful
  • We have just uninstalled and re-installed the new version of DirSync (10 Jun 2014) and the DirSyncConfigShell.psc1 is missing.

    As a workaround, goto C:\Program Files\Windows Azure Active Directory Sync\DirSync and run Import-Modules.ps1

    You will have to sort out the PS Execution Policy and run the PowerShell window in Administration Mode.

    Once this is done you will have access to the Set-FullPasswordSync

  • There is no need for a workaround.

    Just use Import-Module DirSync

  • What method/cmdlet/webService is used to send that hash to Azure AD?

  • Most examples for setting up on premise AD synchronization to Azure AD/Office 365 imply having your local domain set up first and then syncing them. What about having Office 365 up before having you on premise domain ready? I am faced with this now. Our users have Office 365, but we do not have a local domain.

  • Hi @JMCMPONCE, you are correct. All the examples for dirsync are based on the fact that you have an on-premise Active Directory. If you want to start with O365 without an AD, there is no need to have installed the synchronization tool. Office 365 offer you authentication for all your users, what is more, you can also attach a trial subscription of Azure, to have all the feature of Azure AD premium. Now later when you are ready, you can add the synchronization and then you will have 2 kind of users: federated and managed. Federated are the users synced and managed the ones you created in the cloud.

  • The synchronization schedule function has been redesigned since the release of Azure Active Directory Sync.

    Here is a post how to adjust the frequency of the sync schedule:


Page 1 of 1 (6 items)