SOLVED

azure ad hash sync

%3CLINGO-SUB%20id%3D%22lingo-sub-2278040%22%20slang%3D%22en-US%22%3Eazure%20ad%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2278040%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20plan%20to%20do%20a%20hash%20sync%20as%20a%20test%20from%20a%20single%20OU.%26nbsp%3B%20But%20if%20I%20find%20that%20I%20would%20prefer%20to%20stay%20separate%20and%20manage%20fully%20in%20the%20cloud%2C%20is%20it%20a%20good%20practice%20and%20ok%20to%20remove%20Azure%20AD%20hash%20sync%20after%20its%20been%20put%20in%20place%3F%3C%2FP%3E%3CP%3EIf%20I%20do%20remove%2Funinstall%20hash%20sync%2C%20are%20the%20objects%20in%20the%20cloud%20simply%20marked%20as%20mastered%20in%20Azure%3F%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280548%22%20slang%3D%22en-US%22%3ERe%3A%20azure%20ad%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280548%22%20slang%3D%22en-US%22%3ENo%20side%20effects%20in%20Onpremise%20directory%20.%20You%20will%20just%20have%20to%20turn%20off%20dir%20sync%20by%20using%20powershell%20and%20do%20some%20cleanup%20in%20AD.%20You%20will%20probably%20need%20to%20do%20some%20cleanup%20in%20the%20AAD%20tenant%20for%20cloud%20objects%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fturn-off-directory-synchronization%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fturn-off-directory-synchronization%3Fview%3Do365-worldwide%3C%2FA%3E.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280537%22%20slang%3D%22en-US%22%3ERe%3A%20azure%20ad%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280537%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3ESo%20I%20am%20actually%20asking%20if%20its%20ok%20to%20remove%20Azure%20AD%20Connect%2C%20once%20I%20have%20tested%20it.%20This%20would%20mean%20that%20there%20would%20no%20longer%20be%20a%20sync%20of%20objects%20and%20attributes%20between%20local%20and%20azure%20as%20you%20know.%3CBR%20%2F%3EI%20just%20don't%20know%20if%20the%20removal%20of%20Azure%20AD%20Connect%20can%20cause%20any%20side%20effects%20of%20things%20left%20over.%3CBR%20%2F%3EThanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280525%22%20slang%3D%22en-US%22%3ERe%3A%20azure%20ad%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280525%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3EPassword%20Hash%20sync%20is%20just%20an%20authentication%20method%20.%20If%20you%20are%20not%20satisfied%20with%20it%20you%20can%20simply%20migrate%20to%20another%20one%20.%20You%20will%20need%20to%20do%20some%20planning%20to%20be%20able%20to%20do%20that%20.%3CBR%20%2F%3EYou%20can%20use%20Azure%20AD%20Connect%20to%20switch%20the%20sign-in%20method%20from%20password%20hash%20synchronization%20to%20Pass-through%20Authentication%2C%20for%20example%20.%20I%20f%20you%20do%20that%20Pass-through%20Authentication%20becomes%20the%20primary%20sign-in%20method%20for%20your%20users%20in%20managed%20domains.%20Keep%20it%20mind%20that%20all%20users'%20password%20hashes%20which%20were%20previously%20synchronized%20by%20password%20hash%20synchronization%20remain%20stored%20on%20Azure%20AD.%20So%20if%20you%20don't%20want%20that%20you%20will%20probably%20ask%20them%20to%20change%20their%20password%20to%20have%20new%20hashes%20.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sync-whatis%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sync-whatis%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2322380%22%20slang%3D%22en-US%22%3ERe%3A%20azure%20ad%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2322380%22%20slang%3D%22en-US%22%3EA%20follow-up%3A%20Our%20company%20used%20to%20have%20exchange%20but%20it%20was%20removed.%20With%20all%20msExch..%20attributes%20in%20active%20directory%20(this%20may%20be%20the%20case%20without%20an%20exchange%20server%20as%20I%20believe%20it%20extends%20AD%20with%20upgrades%20to%202012R2%20or%20earlier)%20does%20all%20these%20attributes%20have%20to%20be%20matched%20before%20sync%3F%3F%3F%3F%3CBR%20%2F%3EFor%20example%2C%20the%20msExchMailboxGuid%20is%20%22not%20set%22%20on%20my%20local%20directory%2C%20so%20if%20this%20syncs%20would%20that%20not%20break%20exchange%20online%2C%20since%20that%20%22not%20set%22%20attribute%20would%20over%20write%20the%20cloud%3F%3F%3CBR%20%2F%3EThank%20you%3C%2FLINGO-BODY%3E
Contributor

Hello,

I plan to do a hash sync as a test from a single OU.  But if I find that I would prefer to stay separate and manage fully in the cloud, is it a good practice and ok to remove Azure AD hash sync after its been put in place?

If I do remove/uninstall hash sync, are the objects in the cloud simply marked as mastered in Azure?

Thank you

4 Replies
Hi
Password Hash sync is just an authentication method . If you are not satisfied with it you can simply migrate to another one . You will need to do some planning to be able to do that .
You can use Azure AD Connect to switch the sign-in method from password hash synchronization to Pass-through Authentication, for example . I f you do that Pass-through Authentication becomes the primary sign-in method for your users in managed domains. Keep it mind that all users' password hashes which were previously synchronized by password hash synchronization remain stored on Azure AD. So if you don't want that you will probably ask them to change their password to have new hashes .

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis
Hi,
So I am actually asking if its ok to remove Azure AD Connect, once I have tested it. This would mean that there would no longer be a sync of objects and attributes between local and azure as you know.
I just don't know if the removal of Azure AD Connect can cause any side effects of things left over.
Thanks.
best response confirmed by Robert Lien (Contributor)
Solution
No side effects in Onpremise directory . You will just have to turn off dir sync by using powershell and do some cleanup in AD. You will probably need to do some cleanup in the AAD tenant for cloud objects
https://docs.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o3....
A follow-up: Our company used to have exchange but it was removed. With all msExch.. attributes in active directory (this may be the case without an exchange server as I believe it extends AD with upgrades to 2012R2 or earlier) does all these attributes have to be matched before sync????
For example, the msExchMailboxGuid is "not set" on my local directory, so if this syncs would that not break exchange online, since that "not set" attribute would over write the cloud??
Thank you