Forum Discussion
Enabling Managed Authentication - Password Hash Sync
Hi,
We're planning on enabling Azure Seamless SSO. Currently, we use ADFS on 2012 R2. We've enabled Password Hash Sync a few months ago and we've piloted a staged rollout for a small group of users. When moving from ADFS to PHS for authentication with our test users, we noticed a small behaviour change in our Citrix environment whereby users are prompted to enter their username for the first login post-change.
We want to migrate all users to PHS and are planning on running the following:
Set-MsolDomainAuthentication -Authentication Managed -DomainName contoso.com
Is there any downtime associated with this?
If there are problems is the change easy to roll back with the below?
Set-MsolDomainAuthentication -Authentication Federated -DomainName contoso.com
Thanks in advance
P
- First of all, sorry for the late response. I have been ill for a week.
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
- BilalelHaddIron ContributorHi HungryMoo,
You shouldn't expect any downtime when changing the federation from ADFS as an Identity Provider to Azure AD with the mentioned method. But keep in mind (officially) it could take up to 24 hours before the change has been implemented. So I would recommend you implement this on the weekend.
Don't forget to change the User sign-in from Federation with AD FS to Azure AD Password Hash Synchronization, enable single sign-on within Azure AD Connect configuration, and besides this ensure that all the essential features you had before (logon hours, account lockout, password/account expiration, etc.) are configured/complied in Azure AD.
You could do a rollback with the mentioned command, but again, keep in mind that this change can take up to 24 hours. I have never experienced that it took 24 hours. It should change instantly.- HungryMooCopper Contributor
Hi,
Why do you recommend making the change over the weekend?
If a user is already logged in, then presumably they'll have a valid access token. If the change kicks in straight away, then users will be authenticated via PHS and if it doesn't kick in straight away, the user will be authenticated via ADFS.
- BilalelHaddIron ContributorHi HungryMoo,
Migrating during the weekend isn't mandatory. You could also migrate during work hours if downtime is permissible. The migration moment also relies on the company size. In case of a service-outage of rollback scenario, you always want to have some space without feeling rushed.
I have also published some blog posts about some features you manually need to activate when migrating from ADFS to Azure AD as an Identity Provider. Password expiration is one of them: https://www.bilalelhaddouchi.nl/index.php/2020/09/24/comply-your-ad-password-expiration-policy-with-azure-ad/
The blog post is just an example of one of the features you need to enable/configure.