password hash sync locked AD accounts

skip hofmann 46 Reputation points
2020-04-30T17:23:43.577+00:00

Hello all

Thinking about moving from ADFS auth to password hash sync, however i would like to get an understanding how other companies are handling the below limitations of PHS ?

1.locked onprem not respected in Azure
2.password is expired not respected in Azure
3.restricted logon hours not respected in Azure
4.password is expired not respected in Azure

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,181 Reputation points MVP
    2020-04-30T20:02:06.413+00:00

    Instead of PHS, enable PTA+SSO. Not only it will address all the above concerns, but will give your users a seamless SSO experience similar to AD FS. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication

    0 comments
  2. skip hofmann 46 Reputation points
    2020-05-01T15:00:56.027+00:00

    I understand that, however i wanted to avoid all dependencies with onprem agents.

    0 comments