Share via

Azure AD Connect question - password sync

dirkdigs 921 Reputation points
2023-01-23T21:23:31.95+00:00

Hi we are setting up Azure AD Connect. We already have users in Cloud . Is there a way i can force Azure AD connect to keep the password set in the cloud side? (or will it overwrite with the password from om-premise AD)

is this option available?

Microsoft 365 and Office Install, redeem, activate For business Windows
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2023-01-23T21:40:37.7266667+00:00

    The on-premises password hashes will overwrite the cloud password hashes for any users synced via AAD Connect that are in-scope for Password Hash Sync.

    This documentation details how to enable selective password hash sync: [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-selective-password-hash-synchronization

    Depending on the number of users in each system, it may be a better option to force everyone to reset their on-premises passwords so that the authority can be fully turned over to on-premises AD without the management overhead of implementing the workaround feature in the documentation I linked.

  2. Thameur-BOURBITA 36,261 Reputation points Moderator
    2023-01-23T23:49:24.81+00:00

    Hi @dirkdigs

    It's recommended to keep the password hashes synchronization enabled for SSO single sign on and simplify the password management.

    If you disable the password hashes synchronization , the user will have to manage two passwords and you have to apply two password policy (one for azure AD and one for on-premise AD).

    The user can change password from azure portal if the Azure AD self-service password reset and the write back are configured.
    For your information ,the write back feature force adconnect to sync the new password set from azure portal with on-premise account
    You can read the following link for more details:

    How it works: Azure AD self-service password reset

    If you keep the password hash synchronization via adconnect and configure Azure AD self-service password reset, the user will be able to reset his password from azure portal or his windows desktop.

    Please don't forget to mark helpful answer as accepted

    0 comments
  3. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-01-27T17:11:20.05+00:00

    Hello @dirkdigs ,

    As mentioned you already have users synced to Azure AD. You could follow Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment

    Azure Active Directory Connect cloud sync can synchronize Azure AD password changes in real time between users in disconnected on-premises Active Directory Domain Services (AD DS) domain

    Thanks,

    Akshay Kaushik

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.