Where can I validate the encryption used for passwords within Azure AD?

Jeffe 1 Reputation point
2020-07-10T15:00:12.513+00:00

I have an okay understanding of how passwords are stored and secured for on-prem Active Directory. However, how are they stored/encrypted for a fully cloud environment utilizing Azure Active Directory?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,588 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,671 Reputation points MVP
    2020-07-10T15:42:04.027+00:00
  2. Danny Zollner 9,526 Reputation points Microsoft Employee
    2022-02-14T20:37:41.127+00:00

    Page 16 of https://aka.ms/aaddatawhitepaper

    Hash: Password Key Derivation
    Function 2 (PBKDF2), using HMAC SHA256 @ 1000 iterations

    For password hash sync, the on premises account password hash is
    salted and rehashed. Cloud account
    passwords are salted and hashed.
    The resulting one-way hash derived
    from this operation is encrypted at rest
    (see the "Secret encryption at rest" row
    of this table for details).
    It is important to note that only this
    derivative is stored in the cloud service.

    0 comments