password hash sync locked AD accounts

skip hofmann 46 Reputation points
2020-04-30T17:23:43.577+00:00

Hello all

Thinking about moving from ADFS auth to password hash sync, however i would like to get an understanding how other companies are handling the below limitations of PHS ?

1.locked onprem not respected in Azure
2.password is expired not respected in Azure
3.restricted logon hours not respected in Azure
4.password is expired not respected in Azure

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,748 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 71,216 Reputation points MVP
    2020-04-30T20:02:06.413+00:00

    Instead of PHS, enable PTA+SSO. Not only it will address all the above concerns, but will give your users a seamless SSO experience similar to AD FS. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication

    0 comments
  2. skip hofmann 46 Reputation points
    2020-05-01T15:00:56.027+00:00

    I understand that, however i wanted to avoid all dependencies with onprem agents.

    0 comments