25,081 questions
On-prem changes are handled by the on-prem domain controllers, then the hash is synced to Azure in that scenario
Password hash sync VS Pass through authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 18%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ4%3C/text%3E%3C/svg%3E)
JohnKings-4069
20
Reputation points
After reviewing some az500 exams questions I would to clarify once a password is reset from an on premise server using the password hash method does it initially go through on prem servers before syncing to Azure AD cloud or does this only apply with the pass through authentication.
Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
-
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator2023-02-20T21:03:57.2666667+00:00
2 additional answers
Sort by: Most helpful
-
TP 124.7K Reputation points Volunteer Moderator2023-02-20T21:05:28.41+00:00 Hi,
When you change Active Directory Domain Services password via an on premises workstation/server the change is made to on premises domain controller and then synced to Azure AD. This is true for both password hash sync and pass through authentication.
If the above is helpful please click Accept Answer.
Thanks.
-TP
-
JohnKings-4069 20 Reputation points
2023-02-21T00:34:37.02+00:00 So then to confirm this practice exam question below is outdated? I answered true but it was false, the explanation is below as well. The security department has requested that when configuring Single Sign On (SSO) for hybrid users that all user passwords are passed through the on-premises Active Directory domain controller for validation.
Solution: You configure Password Hash Sync and enable single sign on (SSO) with the ADConnect tool.
Does this solution meet the goal? True or False.. It's marked as false - False is correct as you will need to configure “Pass through Authentication” as this option allows user passwords to be passed through to the on-premises AD domain controller for validation. -
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
2023-02-21T12:23:34.3633333+00:00 That is actually false and it refers to the authentication piece. All auth when using PHS will be in Azure, not on-prem. However, in the scenario of a user changing their password on-prem, then the on-prem DCs will handle that and the password hash will be synced to Azure. Hope that makes sense.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 37%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECP%3C/text%3E%3C/svg%3E)
Chetan Prajapati 5 Reputation points2024-05-27T00:07:30.0033333+00:00 Simple logic would be,
- Pass-through authentication validates user passwords directly against the on-premises Active Directory, without using a synced password hash.
- Password hash synchronization synchronizes a hash of the hash of a user’s password from an on-premises Active Directory instance to Azure AD, using a more secure SHA256 password data