Forum Discussion

underQualifried's avatar
underQualifried
Brass Contributor
Jun 25, 2025

Understanding Sign-In logs - password hash sync from another country?

Gday 

 

Had a couple users show up today at risk - failed logins from the US, while we're in Canada. Users are not in the US, not using VPNs, logins are to Microsoft services (Office Home, One Outlook Web). The useragent is the axios client, the auth method is 'password in the cloud' - which as i understand it, means the password is being auth'd directly against Entra. However, one of them is Azure AD sync'd. The auth method on this is 'password hash sync' - as I understood it, this means the password is going to the DC first, then the resulting hash is being passed to the cloud. This is what we have on our Hybrid 1-way tenants. 

But I don't really understand what's going on when I see a Password Hash Sync attempt, from another country. Is that random person passing a (wrong) password to my closed-off server? Or... is it just that the hash that Entra has to authenticate with, is from the DC? Is the 'password to DC, to Cloud' the 'passthrough' auth method? 


Thanks

1 Reply

  • Password hash sync means that the DC is owner of the password and a hash (of a hash) of that password is synced to your Entra ID tenant. That hash is used to validate the credentials from the user trying to sign in. It this case some malicious users are probably trying to password spray some of your users. You should look out for valid passwords and failed MFA's. (I do hope all your users are on MFA).

Resources