none
AADConnect password sync direction

    질문

  • Hi,

    Does AADConnect support bi-directional password sync (so from on-prem to Azure cloud and vice versa)?

    So if I change my password on-prem, AADConnect syncs the pwd to my Azure account?

    And if I change my password in Azure, AADConnect syncs the pwd back to my on-prem account?

    Assume that AADConnect is already setup and synchronising my on-prem identities with Azure.

    Cheers & Thanks

    SK

    2018년 7월 3일 화요일 오후 9:51

답변

  • Hi,

    first of all the password is never synced, it is a hash from a hash (and so on).

    AADC has a password hash sync from onPrem to AAD and also has an password writeback from AAD SSPR form to on-Prem.

    So in fact if you reset your PW with AAD SSPR your onPrem PW is reset and then synced back to AAD.

    See: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    Password write-back does not depend on PW hash sync you can also implement it with ADFS or PTA (pass-through auth) if you like.

    PW writeback service on AADC opens some kind of outbound VPN which will be used in reverse to send the PW back to onPrem an set it on the DC.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • 답변으로 표시됨 Shim Kwan 2018년 7월 10일 화요일 오후 11:42
    2018년 7월 4일 수요일 오전 8:14
  • Hi,

    yes thats right, it feels like a to way password (hash) sync.

    PCNS is not only uni-directional it also can only sync password when captured as clear text thats while the PCNS exists. AADC can sync already present password hashes.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • 답변으로 표시됨 Shim Kwan 2018년 7월 10일 화요일 오후 11:42
    2018년 7월 5일 목요일 오후 12:45

모든 응답

  • Hi,

    first of all the password is never synced, it is a hash from a hash (and so on).

    AADC has a password hash sync from onPrem to AAD and also has an password writeback from AAD SSPR form to on-Prem.

    So in fact if you reset your PW with AAD SSPR your onPrem PW is reset and then synced back to AAD.

    See: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    Password write-back does not depend on PW hash sync you can also implement it with ADFS or PTA (pass-through auth) if you like.

    PW writeback service on AADC opens some kind of outbound VPN which will be used in reverse to send the PW back to onPrem an set it on the DC.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • 답변으로 표시됨 Shim Kwan 2018년 7월 10일 화요일 오후 11:42
    2018년 7월 4일 수요일 오전 8:14
  • Thanks Peter, so just to be sure:

    Let's say I change my domain password from my domain joined workstation...AADConnect will sync the hash to Azure - correct?

    Later, I use Azure SSPR to reset my password...and AADConnect will once again write-back the hash to my on-prem AD account - correct?

    So effectively I can have bi-directional password hash sync now? (PCNS was always uni-directional, that's why I am double-checking AADConnect isn't)

    thank you



    • 편집됨 Shim Kwan 2018년 7월 4일 수요일 오후 10:10
    2018년 7월 4일 수요일 오후 10:09
  • Hi,

    yes thats right, it feels like a to way password (hash) sync.

    PCNS is not only uni-directional it also can only sync password when captured as clear text thats while the PCNS exists. AADC can sync already present password hashes.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • 답변으로 표시됨 Shim Kwan 2018년 7월 10일 화요일 오후 11:42
    2018년 7월 5일 목요일 오후 12:45
  • Thank you Peter
    2018년 7월 10일 화요일 오후 11:42