Password Has Removal from Azure AD

RST 86

Hi Team,

If I disable PHS in AADC server, does it remove all the password hashes (already synched) from Azure AD or the hash still there even though not using it?

I am testing PHS with staged rollout and if I wanted to rollback, need to ensure hash also gets purged from AAD, and how do we validate its actually purged.

Thank in advance Team!

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-08-28T21:15:36.46+00:00

@RST
Thank you for your post!

When it comes to Password hash, the SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. Because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack. Additionally, with PHS you get access to the Leaked Credentials service where user's credentials are checked against Azure AD users' current valid credentials to find valid matches.

For purging the hashes, is there a reason you're looking to verify this? Even when the SHA-256 hash that is stored can't be decrypted or used within your organizations Active Directory for authentication/authorization?

Thank you for your time.
Antonio Arias Sánchez 6 Reputation points

2023-05-19T08:57:12.1433333+00:00

Hello, I indeed have a reason to want to purge the stored hashes: after a tenant migration, I want the users to be unable to connect to old accounts and begin using the one in the new tenant.

So, is there a way to remove them?

Thanks a lot!

Accepted answer

Andy David - MVP 142.2K Reputation points MVP

2020-08-29T11:49:18.113+00:00

The only way would probably be to remove and purge any of the Azure Accounts you staged the roll-out with.
If that is not possible, then change their passwords after the rollback and it wont matter.

Regardless, I would not be concerned, honestly. Those hashes cant be used other than in Azure - for those accounts.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

1 additional answer

RST 86 Reputation points

2020-09-01T11:45:42.653+00:00

Thank you JamesTran-MSFT & AndyDavid -I guess thats the only option as the hash can't be used furhters other than Azure AD.

Quick check though I have selected users in the staged roll out, the password synch applies to all the users defined in AADConnect scope, and their password hash will be reamin in Azure AD, is it
Please sign in to rate this answer.
Heiniger Thomas (Cloud Admin) 1 Reputation point

2021-06-12T09:51:11.19+00:00

We deployed PHS for dedicated Users in our Tenant, based on federated-Authentity and ADConnect.
After removing Users from PHS-Sync, Password-Remains in Azure, and we are still able to Signin.
Change the On-Prem Password has not effect, because the user is not anymore PHS-Enabled.
In this case, we found no way to destory the Azure-AD PHS, and it remains there.
We would like to know, how we can clear the PHS-Entry in Azure, to prevent login directly to Azure.
Sign in to comment