Share via

Office 365 Authentication when AD Connect is offline

Mike Compton 1 Reputation point
2021-12-08T23:22:56.773+00:00

We have a Office365 tenant with Azure AD Free and AD Connect Synchronization services running. AD Connect has password Hash Synchronization enabled. We've noticed that if the server running ad connect is turned off then users have issues authenticating to webmail or receiving updates on their phone. although some users continue to get updates We have a planned power outage for the end of December. Is there a setting or change we need to implement so that they can continue to use webmail while our local datacenter is turned off?

The last time we had an outage (due to a flood) some users could still access email on their phone (mostly ios mail app) but not all. As time progressed, more users had the issue.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-12-09T06:11:04.627+00:00

    @Mike Compton Password Hashsync allows the users to sign into cloud services irrespective of on-premise server status. IF a users password has been sync it is set to never expire in cloud and the user should be able to use the cloud service even when the on-prem DC is down.

    Coming to your scenarios, there must have been other issues which might have caused the users for not being able to sign in.

    As a preventive measure, you can try suggesting your users to use this keep me signed in box when signing in to the cloud services protected by Azure AD, This selection sets a session cookie that bypasses authentication for 180 days.

    Read more here : https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  2. Mike Compton 1 Reputation point
    2021-12-09T15:58:16.403+00:00

    Thanks for the reply. Is there a way we can check to see if Asure is receiving the password hash? I know it is set up to send it with ADConnect. Would it make a difference if they use modern Auth vs basic Auth? Out datacenter isn't down often but in the past we've had some people that could access their email and others that cannot.

  3. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2021-12-09T18:53:38.14+00:00

    The Azure Audit logs will show whats being updated for a specific user, but I prefer to use the builtin AADConnect PHS troubleshooter:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization

    Its real important to be at the latest AADConnect version as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.