Forum Discussion
Azure AD Windows 10 and Azure AD Connect
So we sync our AD w/ Azure AD Connect and I have Password Hash Sync enabled. I can't seem to login to any Windows 10 Azure AD joined computers with accounts that are synced. I was able to create a cl...
Tommek I was under the impression that the hash sync fixed this so the password hash was in the cloud. Is this not the case? We have that enabled with Azure AD Connect. Also, I want to login through Azure AD because I will have some Azure VMs joined to Azure AD. I can't seem to find a straight answer if the password hash sync will allow the password to be the same in the cloud as on prem AD.
To hopefully clarify your understanding here, synchronising your passwords is advantageous, but doesn’t work in quite the way (I think) you are implying...
Having a copy of the password hash in the cloud when you have ADFS enables two things:
- Leaked Credential Protection
- The option to disable federation in case of ADFS failure so that users can continue to authenticate with the same username / password combination (albeit without SSO, and without delegation to your on-premises environment)
As long as federation is enabled for your domain, authentication will be directed to your ADFS servers - irrespective of the resource you are signing on to. PHS doesn’t result in some auth requests being processed in cloud, and some on-prem. My reading of your reply suggests you think this is the case?
Kelvin
Having a copy of the password hash in the cloud when you have ADFS enables two things:
- Leaked Credential Protection
- The option to disable federation in case of ADFS failure so that users can continue to authenticate with the same username / password combination (albeit without SSO, and without delegation to your on-premises environment)
As long as federation is enabled for your domain, authentication will be directed to your ADFS servers - irrespective of the resource you are signing on to. PHS doesn’t result in some auth requests being processed in cloud, and some on-prem. My reading of your reply suggests you think this is the case?
Kelvin