Share via

How to configure Azure password hash sync multiple on premise AD non routable domain

Gerald Ho 0 Reputation points
2023-02-16T18:34:32.6466667+00:00

Hello,

How do you configure Password Hash Sync (PHS) without SSO requirement for multiple non routable domains?

On-premise non routable adomain.local to Azure AD Connect (@onmicrosoft.com) and on-premise non routeable bdomain.local with Azure AD Connect (@bdomain.onmicrosoft.com). Users PHS via UPN sync fine adomain.local to Azure AD and bdomain.local to Azure AD.

If I change usera password in bdomain.local AD the password does sync to Azure AD ******@bdomain.onmicrosoft.com, not to adomain.local ******@onmicrosoft.com. I do not see any sync errors in the Azure Active Directory admin center, AAD Connect, Azure AD Connection Health or Synchronization Service Manager. The PHS troubleshooter has no errors

--

Regards

Microsoft Security Microsoft Entra Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
    2023-02-27T02:47:54.4+00:00

    @Gerald Ho

    As per your explanation about your environment, you are trying to change password of userA in bdomain.local on-premises domain. AD connect is syncing users from bdomain.local to bdomain.onmicrosoft.com Azure tenant.

    Now once you change the userA password in bdomain.local, corresponding password is updated for ******@bdomain.onmicrosoft.com. This is expected.

    I wanted to check if you are trying to have password synced to ******@onmicrosoft.com as well?

    Can you brief about what exactly are you expecting here?

    0 comments
  2. Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
    2023-03-09T15:03:31.0566667+00:00

    @Gerald Ho

    As per our discussion on phone, you have 2 different on-premises domain.

    Adomain.local and Bdomain.local.

    You have similar user accounts created in both on-premises tenant.

    Users are syncing from both on-premises domains to single Azure AD tenant.

    userA@adomain.local is syncing as ******@adomain.com in Azure AD.

    And userA@bdomain.local is syncing as ******@bdomain.com in Azure AD.

    You have self-service password reset enabled in the tenant and also password writeback is enabled.

    Your requirement is when ******@bdomain.com changes the password in Azure AD, you wanted the new password should be written back to Adomain.local account.

    This will not happen, as password will be written back to same corresponding account in on-premises. Password change on one account and same password getting written back to different account in on-premises is a security issue.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.