Azure AD SCIM Provisioning - How to sync passwords?

Question

Azure AD SCIM Provisioning - How to sync passwords?

Sriharsha J 21

Hi,

The question is a repeat of
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/a3359bde-b08a-46f6-b5b0-ef4e50de663f/azure-ad-scim-provisioning-how-to-sync-passwords?forum=WindowsAzureAD

However, I have not seen a definitive answer to whether AD syncs the password thru SCIM. Sorry, 'AFAIK' is not definitive.
If not, what is the reasoning ? When other IDPs (say Okta) are allowing this, why not AD ?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Danny Zollner 10,821 Microsoft Employee Moderator

It is not possible to sync passwords out of AAD via SCIM provisioning. Passwords are stored in AAD using one-way hashing/salting and the original plaintext value cannot be retrieved. Best practice is to federate with the application in question via a standard such as SAML 2.0 or Open ID Connect/OAuth 2.0.

JamesTran-MSFT 37,231 Reputation points Microsoft Employee Moderator

2022-12-05T15:55:39.037+00:00

@Sriharsha J
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sriharsha J 21 Reputation points

2022-12-06T04:22:13.147+00:00

Thanks for the clarification Zollner.

I was wondering about the intent of non-support. Is it the security issue OR because of storing non-plaintext value ?
If it is due storing non-plaintext value, AD can send the salted+hashed value, salt and the hash function.
Danny Zollner 10,821 Reputation points Microsoft Employee Moderator

2022-12-06T21:21:39.543+00:00

It's both. There are massive security concerns there, even with just sharing a salted/hashed value, which I don't believe is possible either.

For what it's worth, there is interest in the SCIM working group to publish a modern security best practices document which would contain suggestions including not using the password attribute for most scenarios. Given general sentiment in the security community, I don't expect provisioning passwords (either plaintext or the hashed/salted value) to ever become possible.

Take note, this is different than initially seeding a random redacted/nondisclosed password into an application because the user cannot be created without a value being provided, which may be supported by some of our on-premises provisioning flows.

Share via

Azure AD SCIM Provisioning - How to sync passwords?

0 additional answers

Your answer