Forum Discussion
Solved
Enabling Managed Authentication - Password Hash Sync
Hi, We're planning on enabling Azure Seamless SSO. Currently, we use ADFS on 2012 R2. We've enabled Password Hash Sync a few months ago and we've piloted a staged rollout for a small group of users....
- First of all, sorry for the late response. I have been ill for a week.
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
First of all, sorry for the late response. I have been ill for a week.
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
Hi BilalelHadd,
Thanks for the reply.. I heard back from Microsoft - the PowerShell script isn't working as we need to unfederate the domain first.
We're looking to implement a script which monitors for password changes on a daily basis and then update the Azure AD user object with the appropriate password policy.
Thanks
Thanks for the reply.. I heard back from Microsoft - the PowerShell script isn't working as we need to unfederate the domain first.
We're looking to implement a script which monitors for password changes on a daily basis and then update the Azure AD user object with the appropriate password policy.
Thanks