If AAD Connect is offline for an extended period of time

%3CLINGO-SUB%20id%3D%22lingo-sub-564607%22%20slang%3D%22en-US%22%3EIf%20AAD%20Connect%20is%20offline%20for%20an%20extended%20period%20of%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564607%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I'm%20running%26nbsp%3B%3CSPAN%3EAzure%20AD%20Connect%3C%2FSPAN%3E%20with%20password%20hash%20sync.%26nbsp%3B%26nbsp%3BMy%20current%20setup%20is%20working%20fine%2C%20but%20I%20want%20to%20know%20what%20the%20impact%20would%20be%20if%20there's%20a%20bad%20outage%20that%20takes%20on-premises%20environments%20offline.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20describe%20the%20impact%20if%20%3CSPAN%3EAzure%20AD%20Connect%3C%2FSPAN%3E%20is%20offline%20for%20an%20extended%20period%3F%20Possibly%2C%20a%20month%20or%20more%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20the%20end%20users%20eventually%20get%20locked%20out%20if%20%3CSPAN%3EAzure%20AD%20Connect%3C%2FSPAN%3E%20Connect%20does%20not%20sync%20for%20a%20certain%20period%20of%20time%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-564607%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn-Premises%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-564734%22%20slang%3D%22en-US%22%3ERe%3A%20If%20AAD%20Connect%20is%20offline%20for%20an%20extended%20period%20of%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564734%22%20slang%3D%22en-US%22%3ENew%20changes%20will%20not%20be%20synced%20of%20course%2C%20operational%20as%20normal%20otherwise!%20Of%20course%20this%20also%20depends%20on%20how%20you%20authenticate!%20If%20you%20are%20using%20adfs%20or%20pass-%20through%20auto%20you%20need%20to%20switch%20this!%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20also%20turn%20off%20sync%20with%20ad%20connect%20in%20365%20and%20your%20users%20will%20be%20cloud%20only%20users!%20You%20can%20later%20connect%20merge%20the%20accounts%20if%20you%20have%20a%20new%20environment%20up%20and%20running!%20If%20you%E2%80%99re%20fixing%20the%20old%20just%20leave%20it!%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-564757%22%20slang%3D%22en-US%22%3ERe%3A%20If%20AAD%20Connect%20is%20offline%20for%20an%20extended%20period%20of%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564757%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F289178%22%20target%3D%22_blank%22%3E%40hyperloop%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20it%20was%20in%20a%20scenario%20such%20as%20an%20outage%20of%20a%20month%20(a%20long%20period)%20you%20would%20likely%20disable%20Azure%20AD%20Connect%20as%20outlined%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fturn-off-directory-synchronization%23turn-off-directory-synchronization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fturn-off-directory-synchronization%23turn-off-directory-synchronization%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20the%20users%20would%20convert%20to%20Cloud%20users%20again%20(not%20synchronised)%20and%20then%20you%20could%20change%20passwords%20if%20needed.%3CBR%20%2F%3E%3CBR%20%2F%3EOnce%20it%20was%20back%20up%20you%20can%20then%20resynchronise%20the%20users%20through%20soft%20matching.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-565634%22%20slang%3D%22en-US%22%3ERe%3A%20If%20AAD%20Connect%20is%20offline%20for%20an%20extended%20period%20of%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-565634%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20password%20sync%20enabled%2C%20the%20cloud%20passwords%20are%20set%20to%20never%20expire%2C%20so%20even%20in%20the%20event%20of%20such%20long%20outage%20users%20will%20not%20get%20locked%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi, I'm running Azure AD Connect with password hash sync.  My current setup is working fine, but I want to know what the impact would be if there's a bad outage that takes on-premises environments offline. 

 

Can anyone describe the impact if Azure AD Connect is offline for an extended period? Possibly, a month or more?

 

Will the end users eventually get locked out if Azure AD Connect Connect does not sync for a certain period of time?

3 Replies
Highlighted
New changes will not be synced of course, operational as normal otherwise! Of course this also depends on how you authenticate! If you are using adfs or pass- through auto you need to switch this!

You could also turn off sync with ad connect in 365 and your users will be cloud only users! You can later connect merge the accounts if you have a new environment up and running! If you’re fixing the old just leave it!

Adam
Highlighted
Hi @hyperloop

If it was in a scenario such as an outage of a month (a long period) you would likely disable Azure AD Connect as outlined here

https://docs.microsoft.com/en-us/office365/enterprise/turn-off-directory-synchronization#turn-off-di...

Then the users would convert to Cloud users again (not synchronised) and then you could change passwords if needed.

Once it was back up you can then resynchronise the users through soft matching.

Hope that answers your question!

Best, Chris
Highlighted

If you have password sync enabled, the cloud passwords are set to never expire, so even in the event of such long outage users will not get locked out.