Enabling password hash sync with empty passwords

Question

Enabling password hash sync with empty passwords

FP 0

Hello,

I took over an environment which was set up in a non-ideal way.

A small business unit within a big company was carved out and so was their IT environment.

It was clear there were multiple On-Prem systems and also accounts that need to be migrated.

Unfortunately, they set up a fully working Azure AD only environment first and users started working with the Azure AD environment.

Afterwards they copied all the needed on-Prem ressources (groups and users) from the old on-prem AD to a new on-Prem AD using a 3rd party tool. The password hash was not copied over, so all copied on prem users now have NO password.

Azure AD Connect was set up afterwards without password hash sync. All on-prem accounts are now synced with their Azure AD Counterpart. Only issue is that the Azure AD User has a PW that works fine and the on prem user has no password at all.

This prevents users from accessing on-prem server as those are joined to the new on-prem AD.

My question is:
How can I get this solved without a major impact on the current operation? My original plan was to enable pw writeback and set an expiration date of 5 days in AzureAD so that every users would change their PW within the next 5 days and this new PW would be written back to on-Prem.

I activated password writeback but this doesn't seem to work if Passwordhash sync or ADFS is not activated.

What happens to the Azure AD Usersaccounts if I enable password hash sync but all on-prem users do not have a password?

Thanks in advance for any input.

1 answer

Your answer

Answer 1

Michael Durkan 12,236 MVP

Hi

when you enable Password Hash Sync, Active Directory becomes your "source or truth", so any Active Directory passwords that exist for Soft-Matched users in Azure AD will replace any existing Azure AD passwords that are in use.

Password Writeback only works at the time of reset, so all existing passwords are not written back to on-premise AD.

It a tricky one - my advice (depending on the amount of users in the business unit) would be to look at a trial of an AD Self-Service Password Reset tool to allow the users to create new passwords prior to enabling PHS. You should also ensure that any AD Password policies are secure as these will carry forward into Azure AD.

Hope this helps, and good luck.

Thanks

Michael Durkan

If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

FP 0 Reputation points

2023-02-24T14:53:47.7933333+00:00

Hi Michael,

thanks for your reply. I know that on-Prem passwords will replace Azure passwords as soon as PHS is activated.

I just wondered what happens if I activate it now since all on-Prems users have empty passwords.

I also enabled PW Writeback and tried to reset the PW for 2 Azure AD users but it wasn't written back to on-Prem.

I'm wondering why because everything seems to be set up correctly and I get no error messages at all.

I then read in some MS document that you need to have PHS or AD FS set up for writeback to work.

BR
Francesco
FP 0 Reputation points

2023-02-24T14:59:28.3966667+00:00

double post
Michael Durkan 12,236 Reputation points MVP

2023-02-25T20:35:44.96+00:00
Hi Francesco

I've been thinking about this, and the first question for me is around the empty AD passwords - do the users actually log on and access systems using these credentials? Are there any Domain Password Policies applied on AD, or do these users have the "Password Not Required" attribute set on their accounts?

You can get the list of all user accounts that do not require a password:

Get-ADUser -Filter {PasswordNotRequired -eq $true}

Then you can correct the accounts using:

Get-ADUser -Identity User1 | Set-ADUser -PasswordNotRequired $false

I don't believe that Azure AD will accept blank passwords and you will start seeing errors. What you could do to test this is to set up your PHS to only sync specific OU's in your AD.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering

The link below shows how Password Writeback works - its needs Password Hash Sync in order to function as the on-premises AD always remains your "source of truth" for password policies.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback#how-password-writeback-works.

Thanks

Michael Durkan

If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
FP 0 Reputation points

2023-02-27T10:25:16.57+00:00

Hi Michael, PasswordNotRequired is not true for any user in my AD. But the Passwords are still Empty.
Even though this would normally not work, with the on-prem AD Migration Tool that we used it worked.

I will probably just build a Test OU for now, put one of the users in it and enable PHS for this OU to see what happens.

Share via

Enabling password hash sync with empty passwords

1 answer

Your answer