Forum Discussion
Solved
Enabling Managed Authentication - Password Hash Sync
Hi, We're planning on enabling Azure Seamless SSO. Currently, we use ADFS on 2012 R2. We've enabled Password Hash Sync a few months ago and we've piloted a staged rollout for a small group of users....
- First of all, sorry for the late response. I have been ill for a week.
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
Hi,
Why do you recommend making the change over the weekend?
If a user is already logged in, then presumably they'll have a valid access token. If the change kicks in straight away, then users will be authenticated via PHS and if it doesn't kick in straight away, the user will be authenticated via ADFS.
Hi HungryMoo,
Migrating during the weekend isn't mandatory. You could also migrate during work hours if downtime is permissible. The migration moment also relies on the company size. In case of a service-outage of rollback scenario, you always want to have some space without feeling rushed.
I have also published some blog posts about some features you manually need to activate when migrating from ADFS to Azure AD as an Identity Provider. Password expiration is one of them: https://www.bilalelhaddouchi.nl/index.php/2020/09/24/comply-your-ad-password-expiration-policy-with-azure-ad/
The blog post is just an example of one of the features you need to enable/configure.
Migrating during the weekend isn't mandatory. You could also migrate during work hours if downtime is permissible. The migration moment also relies on the company size. In case of a service-outage of rollback scenario, you always want to have some space without feeling rushed.
I have also published some blog posts about some features you manually need to activate when migrating from ADFS to Azure AD as an Identity Provider. Password expiration is one of them: https://www.bilalelhaddouchi.nl/index.php/2020/09/24/comply-your-ad-password-expiration-policy-with-azure-ad/
The blog post is just an example of one of the features you need to enable/configure.