Jan 14 2022
10:06 AM
- last edited on
Jan 14 2022
03:22 PM
by
TechCommunityAP
Jan 14 2022
10:06 AM
- last edited on
Jan 14 2022
03:22 PM
by
TechCommunityAP
Hi,
We're planning on enabling Azure Seamless SSO. Currently, we use ADFS on 2012 R2. We've enabled Password Hash Sync a few months ago and we've piloted a staged rollout for a small group of users. When moving from ADFS to PHS for authentication with our test users, we noticed a small behaviour change in our Citrix environment whereby users are prompted to enter their username for the first login post-change.
We want to migrate all users to PHS and are planning on running the following:
Set-MsolDomainAuthentication -Authentication Managed -DomainName contoso.com
Is there any downtime associated with this?
If there are problems is the change easy to roll back with the below?
Set-MsolDomainAuthentication -Authentication Federated -DomainName contoso.com
Thanks in advance
P
Jan 17 2022 12:46 AM
Jan 19 2022 05:32 AM
Hi,
Why do you recommend making the change over the weekend?
If a user is already logged in, then presumably they'll have a valid access token. If the change kicks in straight away, then users will be authenticated via PHS and if it doesn't kick in straight away, the user will be authenticated via ADFS.
Jan 19 2022 05:59 AM
Jan 21 2022 07:30 AM
Jan 28 2022 02:56 AM - edited Jan 28 2022 02:57 AM
Enabling PHS is a painful experience, unless you're running a well maintained vanilla AD. There are 2 big issues for us:
1. Synced accounts with AD "password never expires" need to be manually updated (see link below - unfortunately the PowerShell cmdlet doesn't work for us, see attachment).
2. If an account on-premise with password never expires set changes their password, we then need to manually update that account in Azure AD (see note "For hybrid users that have a PasswordPolicies value set to DisablePassordExpiration, this value switches to None after a password change is executed on-premises").
We have over 800 enabled synced accounts with password never expires :-(. Architecturally, this seems like a poor solution, why couldn't Microsoft just sync the password never expires flag as an attribute?
Feb 01 2022 12:27 AM
SolutionFeb 03 2022 01:53 PM
Feb 01 2022 12:27 AM
Solution