none
AADConnect password sync direction

    Pergunta

  • Hi,

    Does AADConnect support bi-directional password sync (so from on-prem to Azure cloud and vice versa)?

    So if I change my password on-prem, AADConnect syncs the pwd to my Azure account?

    And if I change my password in Azure, AADConnect syncs the pwd back to my on-prem account?

    Assume that AADConnect is already setup and synchronising my on-prem identities with Azure.

    Cheers & Thanks

    SK

    terça-feira, 3 de julho de 2018 21:51

Respostas

  • Hi,

    first of all the password is never synced, it is a hash from a hash (and so on).

    AADC has a password hash sync from onPrem to AAD and also has an password writeback from AAD SSPR form to on-Prem.

    So in fact if you reset your PW with AAD SSPR your onPrem PW is reset and then synced back to AAD.

    See: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    Password write-back does not depend on PW hash sync you can also implement it with ADFS or PTA (pass-through auth) if you like.

    PW writeback service on AADC opens some kind of outbound VPN which will be used in reverse to send the PW back to onPrem an set it on the DC.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marcado como Resposta Shim Kwan terça-feira, 10 de julho de 2018 23:42
    quarta-feira, 4 de julho de 2018 08:14
  • Hi,

    yes thats right, it feels like a to way password (hash) sync.

    PCNS is not only uni-directional it also can only sync password when captured as clear text thats while the PCNS exists. AADC can sync already present password hashes.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marcado como Resposta Shim Kwan terça-feira, 10 de julho de 2018 23:42
    quinta-feira, 5 de julho de 2018 12:45

Todas as Respostas

  • Hi,

    first of all the password is never synced, it is a hash from a hash (and so on).

    AADC has a password hash sync from onPrem to AAD and also has an password writeback from AAD SSPR form to on-Prem.

    So in fact if you reset your PW with AAD SSPR your onPrem PW is reset and then synced back to AAD.

    See: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    Password write-back does not depend on PW hash sync you can also implement it with ADFS or PTA (pass-through auth) if you like.

    PW writeback service on AADC opens some kind of outbound VPN which will be used in reverse to send the PW back to onPrem an set it on the DC.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marcado como Resposta Shim Kwan terça-feira, 10 de julho de 2018 23:42
    quarta-feira, 4 de julho de 2018 08:14
  • Thanks Peter, so just to be sure:

    Let's say I change my domain password from my domain joined workstation...AADConnect will sync the hash to Azure - correct?

    Later, I use Azure SSPR to reset my password...and AADConnect will once again write-back the hash to my on-prem AD account - correct?

    So effectively I can have bi-directional password hash sync now? (PCNS was always uni-directional, that's why I am double-checking AADConnect isn't)

    thank you



    • Editado Shim Kwan quarta-feira, 4 de julho de 2018 22:10
    quarta-feira, 4 de julho de 2018 22:09
  • Hi,

    yes thats right, it feels like a to way password (hash) sync.

    PCNS is not only uni-directional it also can only sync password when captured as clear text thats while the PCNS exists. AADC can sync already present password hashes.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marcado como Resposta Shim Kwan terça-feira, 10 de julho de 2018 23:42
    quinta-feira, 5 de julho de 2018 12:45
  • Thank you Peter
    terça-feira, 10 de julho de 2018 23:42