Staged rollout password hash sync

skip hofmann 46 Reputation points


I recently enabled this feature. Its not working at all. If from chrome if i go to the azure portal or the O365 portal, i get redirected back to my onprem ADFS environment. The procedure to enable staged rollout was simple, so i dont understand why this is not working as described? I also confirmed that passwords are syncing to azure AD from onprem. Is there anything i can check that could explain why this feature is not working ?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,910 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. soumi-MSFT 11,651 Reputation points Microsoft Employee

    @skip hofmann , It would be hard to tell whether, its broken somewhere or not working because of any steps being missed while deploying it. It would be great if you can recheck the steps I am sharing below just to make sure we are configuring it correctly.

    Step 1: Make sure you have create a group with users in it and the users are not a part of any nested groups.

    Step 2: Nested Groups and Dynamic groups are not supported.

    Step 3: Users will experience the new signin experience only if there existing tokens are invalidated and their earlier sessions have expired. You can try testing it in the incognito mode/ inprivate browsing mode present in the browsers. You can also try revoking the tokens using Revoke-AzureADUserAllRefreshToken PowerShell cmdlet.

    Step 4: Make sure that the synced users with which you are testing are not Global Admins in the tenants. We recommend using non-privileged synced users.

    Step 5: You can only use maximum of 10 groups per feature i.e each for Password hash Sync and Pass Through Authentication

    Do let me know if these points are present in your test so that we can plan the next steps accordingly.

    If this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer if the above response helped in answering your query.

    0 comments No comments

  2. skip hofmann 46 Reputation points


    I get the following error when i run the command

    Revoke-AzureADUserAllRefreshToken : Error occurred while executing RevokeUserAllRefreshTokens
    Code: Request_BadRequest
    Message: An error occurred while processing the invalidating refresh tokens request.
    RequestId: f11c7fb1-38e5-425a-8cb3-dc26450f4562
    DateTimeStamp: Wed, 11 Mar 2020 14:44:57 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:1 char:1

    • Revoke-AzureADUserAllRefreshToken -ObjectId "79ba026c-1c52-4005-8292- ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Revoke-AzureADUserAllRefreshToken], ApiException
    • FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RevokeU

  3. soumi-MSFT 11,651 Reputation points Microsoft Employee

    @skip hofmann , That's strange. I believe it would have to be worked on over a call to understand where the failure happening. I believe you had posted one more post today in Microsoft Q&A. It would be great if you can open a case with the support team so that they can take a look into the issue while on call with you.

    Do let us know if you have a valid Azure subscription and if you can open a case from that subscription. If not do let us know so that we can help in getting a one time free case created for you to help you fix this issue sooner.

    You can share the following information in an email and send it to azcommunity'at'microsoft'dot'com:

    • Tenant ID:
    • Azure Subscription ID:

    Once we have the following information, I would work upon creating the case for you.

    0 comments No comments

  4. skip hofmann 46 Reputation points

    I have already opened up a case . Case # is 120031124001687 Just waiting for a call back

    0 comments No comments