SOLVED

Azure AD Connect Password hash synchronization

%3CLINGO-SUB%20id%3D%22lingo-sub-1032143%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20Password%20hash%20synchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1032143%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20password%20hash%20synchronization%20with%20Azure%20AD%20Connect%20sync.%26nbsp%3B%20%26nbsp%3BFederation%2C%20SSO%20and%20pass-through%20authentication%20are%20all%20disabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20log%20onto%20our%20workstation%20computers%20using%20a%20domain%20user%20name%2C%20are%20we%20authenticating%20at%20that%20point%20with%20Azure%20AD%20or%20our%20on-premises%20Active%20Directory%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20if%20this%20is%20relevant%2C%20but%20in%20the%20AAD%20admin%20portal%2C%20all%20our%20devices%20are%20flagged%20as%20'Azure%20AD%20registered'%20(not%20Azure%20AD%20joined%20-%20not%20exactly%20sure%20of%20the%20difference).%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20custom%20Office%20365%20domain%20name.%26nbsp%3B%20A%20local%20server%20is%20our%20domain%20controller.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20asking%20this%20because%20it%20appears%20that%20our%20local%20network%20'maximum%20password%20age'%20default%20domain%20policy%20that%20is%20set%20in%20Group%20Policy%20Management%20is%20not%20taking%20effect.%26nbsp%3B%20It%20is%20set%20to%2042%20days%2C%20but%20we%20are%20never%20asked%20to%20enter%20a%20new%20password.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Microsoft%20Admin%20Center%20Security%20%26amp%3B%20Privacy%20setting%20has%20the%20password%20expiration%20set%20to%20never.%26nbsp%3B%20This%20appears%20to%20be%20the%20one%20that%20is%20taking%20precedence%20when%20we%20log%20into%20our%20domain%20on%20our%20workstations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20expected%20behavior%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20need%20more%20information%20from%20my%20end%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EBetty%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%3A%26nbsp%3B%20the%20powershell%20command%20%22Get-AzureADUser%22%20shows%20'DisablePasswordExpiration'%20for%20everybody's%20PasswordPolicies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1032143%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034420%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Password%20hash%20synchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034420%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11668%22%20target%3D%22_blank%22%3E%40Betty%20Stolwyk%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20question!%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20you%20use%20Password%20hash%20sync%2C%20you%20actually%20just%20replicate%20the%20on-prem%20password%20to%20your%20cloud%20identity%2C%20so%20you%20have%20the%20same%20password%20in%20both%20places.%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20when%20you%20login%20to%20your%20workstation%20with%20domain%5Cusername%20you%20are%20authentication%20to%20your%20local%20domain%20controllers.%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20when%20you%20login%20to%20portal.office.com%20with%20your%20user%40domain.com%20user%2C%20then%20you%20are%20authentication%20with%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20password%20hash%20sync%20is%20enabled%2C%20the%20password%20policies%20in%20your%20on-premises%20AD%20overrides%20complexity%20policies%20in%20the%20cloud.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHOWEVER...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20a%20user%20is%20in%20the%20scope%20of%20password%20hash%20sync%2C%20by%20default%20the%20cloud%20account%20password%20is%20set%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ENever%20Expire%20for%20that%20user.%20So%20that%20your%20user%20in%20the%20cloud%20has%20password%20never%20expires%20is%20expected.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20continue%20to%20sign%20in%20to%20your%20cloud%20services%20by%20using%20a%20synchronized%20password%20that%20is%20expired%20in%20your%20on-prem%20AD.%20Your%20cloud%20password%20is%20updated%20the%20next%20time%20you%20change%20the%20password%20in%20the%20on-prem%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETo%20sumarize%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EWhen%20you%20sign%20in%20with%20domain%5Cuser%2C%20you%20authenticate%20with%20the%20local%20Domain%20controller(s)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWhen%20you%20sign%20into%20Office365%2C%20you%20authenticate%20with%20Azure%20AD%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EPassword%20never%20expires%20on%20the%20cloud%20accounts%20is%20expected%20with%20password%20hash%20sync%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EPassword%20Hash%20sync%20just%20duplicates%20the%20on-prem%20password%20and%20sets%20that%20for%20the%20cloud%20identity%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%3CLI%3E%3CSPAN%3EIf%20the%20password%20expires%20in%20the%20local%20AD%2C%20the%20user%20can%20still%20login%20to%20Office365%20with%20that%20expired%20password%20until%20its%20changed%20on-prem%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EI%20hope%20this%20answered%20your%20question!%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ELet%20me%20know%20if%20I%20can%20assist%20you%20further.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EKind%20RegardsOliwer%20Sj%C3%B6berg%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034470%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Password%20hash%20synchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034470%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F345947%22%20target%3D%22_blank%22%3E%40oliwer_sjoberg%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20quick%20response!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20appreciate%20the%20clarification%20that%20logging%20into%20our%20workstation%20authenticates%20against%20our%20local%20Active%20Directory.%26nbsp%3B%20That%20makes%20sense.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20that%20information%20reinforces%20my%20confusion%20about%20why%20we%20never%20get%20asked%20for%20a%20new%20password%20on%20workstation%20login%20when%20we%20hit%20the%26nbsp%3B%3CSPAN%3E'maximum%20password%20age'%20of%2042%20days%20as%20defined%20by%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eour%20local%20default%20domain%20policy%20that%20is%20set%20in%20Group%20Policy%20Management.%26nbsp%3B%20(I%20was%20thinking%20that%20might%20have%20been%20overridden%20by%20the%20Azure%20AD%20password%20policy%20of%20never%20expiring%2C%20but%20you%20cleared%20that%20up%20that%20is%20not%20the%20case.)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20it%20looks%20like%20this%20is%20a%20question%20that%20is%20outside%20of%20this%20forum's%20subject%20area%20since%20it%20must%20be%20some%20problem%20with%20the%20on-premises%20password%20policy.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20unless%20you%20happen%20to%20have%20some%20insight%20or%20advice%20for%20me%20on%20that%2C%20I%20will%20consider%26nbsp%3B%20this%20answered%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ebetty%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034635%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Password%20hash%20synchronization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034635%22%20slang%3D%22en-US%22%3ENo%20problem%2C%20happy%20to%20help%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EIt%20does%20seem%20like%20youll%20need%20to%20double%20check%20the%20password%20GPO.%20You%20could%20%2C%20from%20a%20logged%20on%20worksation%20do%20the%20%22GPRESULT%22%20command%20from%20CMD%20to%20see%20all%20GPOs%20that%20are%20applied%20to%20that%20user%20and%20worksation.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20appreciate%20if%20you%20could%20mark%20my%20reply%20as%20%22best%20response%22%20if%20you%20feel%20satisfied%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20if%20you%20have%20other%20questions%20%2C%20feel%20free%20to%20DM%20me%20!%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%3CBR%20%2F%3EOliwer%20Sj%C3%B6berg%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We use password hash synchronization with Azure AD Connect sync.   Federation, SSO and pass-through authentication are all disabled.

 

When we log onto our workstation computers using a domain user name, are we authenticating at that point with Azure AD or our on-premises Active Directory? 

 

I don't know if this is relevant, but in the AAD admin portal, all our devices are flagged as 'Azure AD registered' (not Azure AD joined - not exactly sure of the difference).  

 

We have a custom Office 365 domain name.  A local server is our domain controller.

 

I am asking this because it appears that our local network 'maximum password age' default domain policy that is set in Group Policy Management is not taking effect.  It is set to 42 days, but we are never asked to enter a new password.  

 

The Microsoft Admin Center Security & Privacy setting has the password expiration set to never.  This appears to be the one that is taking precedence when we log into our domain on our workstations.

 

Is that expected behavior?  

 

Do you need more information from my end?

 

Thank you,

Betty

 

PS:  the powershell command "Get-AzureADUser" shows 'DisablePasswordExpiration' for everybody's PasswordPolicies.

3 Replies
Highlighted

Hello there @Betty Stolwyk thanks for your question! 

When you use Password hash sync, you actually just replicate the on-prem password to your cloud identity, so you have the same password in both places. 

So when you login to your workstation with domain\username you are authentication to your local domain controllers. 

And when you login to portal.office.com with your user@domain.com user, then you are authentication with Azure AD. 

 

When password hash sync is enabled, the password policies in your on-premises AD overrides complexity policies in the cloud. 

HOWEVER...

If a user is in the scope of password hash sync, by default the cloud account password is set to Never Expire for that user. So that your user in the cloud has password never expires is expected. 

 

You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-prem AD. Your cloud password is updated the next time you change the password in the on-prem AD.

 

To sumarize 

  • When you sign in with domain\user, you authenticate with the local Domain controller(s)
  • When you sign into Office365, you authenticate with Azure AD
  • Password never expires on the cloud accounts is expected with password hash sync 
  • Password Hash sync just duplicates the on-prem password and sets that for the cloud identity 
    • If the password expires in the local AD, the user can still login to Office365 with that expired password until its changed on-prem 

I hope this answered your question!

Let me know if I can assist you further. 

 

Kind Regards
Oliwer Sjöberg

Highlighted

@oliwer_sjoberg Thank you for your quick response!  

 

I appreciate the clarification that logging into our workstation authenticates against our local Active Directory.  That makes sense.

 

However, that information reinforces my confusion about why we never get asked for a new password on workstation login when we hit the 'maximum password age' of 42 days as defined by

our local default domain policy that is set in Group Policy Management.  (I was thinking that might have been overridden by the Azure AD password policy of never expiring, but you cleared that up that is not the case.)

 

So it looks like this is a question that is outside of this forum's subject area since it must be some problem with the on-premises password policy.

 

So unless you happen to have some insight or advice for me on that, I will consider  this answered :)

 

betty

Highlighted
Best Response confirmed by Betty Stolwyk (Contributor)
Solution
No problem, happy to help :)
It does seem like youll need to double check the password GPO. You could , from a logged on worksation do the "GPRESULT" command from CMD to see all GPOs that are applied to that user and worksation.

I would appreciate if you could mark my reply as "best response" if you feel satisfied :)

Let me know if you have other questions , feel free to DM me !

Kind regards
Oliwer Sjöberg