SOLVED

password hash sync or passthrough sync with sso

%3CLINGO-SUB%20id%3D%22lingo-sub-1260801%22%20slang%3D%22en-US%22%3Epassword%20hash%20sync%20or%20passthrough%20sync%20with%20sso%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260801%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20reader%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20planning%20for%20migrating%20our%20env.%20We%20will%20go%20to%20a%20hybrid%20env.%20The%20question%20i%20have%20is%20about%20adconnect%20and%20the%20different%20choices.%20With%20password%20has%20sync%20a%20copy%20of%20th%20eusers%20password%20will%20be%20maintained%20in%20ad.%20I%20can%20understand%20that%20when%20a%20users%20is%20at%20home%20at%20a%20non%20domain%20joined%20machine%20he%2Fshe%20will%20be%20able%20to%20logon%20to%20o365.%20But%20what%20happens%20when%20you%20choose%20passthruoghr%20sync%3F%20A%20password%20at%20azure%20will%20not%20be%20available%2C%20will%20the%20same%20user%20be%20able%20to%20logon%20to%20o365%20at%20a%20non%20domain%20joined%20machine%20at%20home%3F%20If%20he%2Fshe%20can%2C%20where%20does%20authentication%20take%20place%3F%20If%20auth%20happens%20on%20the%20local%20ad%20through%20adconnect%2C%20then%20what%20will%20happen%20if%20the%20local%20ad%20is%20unreachable%20because%20of%20a%20poweroutage%20or%20somthing%3F%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%3C%2FP%3E%3CP%3Ebest%20regards%20Ruud%26nbsp%3B%20Boersma%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1260801%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEducation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1261326%22%20slang%3D%22en-US%22%3ERe%3A%20password%20hash%20sync%20or%20passthrough%20sync%20with%20sso%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1261326%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20will%20not%20be%20able%20to%20authenticate.%20For%20this%20reason%2C%20it's%20recommended%20to%20configure%20Password-hash%20sync%20as%20a%20fallback%20option%2C%20but%20that%20process%20is%20not%20automatic%2C%20so%20have%20that%20in%20mind.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1261571%22%20slang%3D%22en-US%22%3ERe%3A%20password%20hash%20sync%20or%20passthrough%20sync%20with%20sso%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1261571%22%20slang%3D%22en-US%22%3EAs%20Vasil%20said%20if%20it%E2%80%99s%20down%20they%20cannot%20login.%20Basically%20you%20get%20an%20agent%20of%20sorts%20that%20azuread%20connects%20back%20to%20do%20the%20auth%20onprem.%20%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20for%20users%20at%20home%20it%20will%20work%20fine%20long%20as%20your%20onprem%20AD%20is%20online%20as%20the%20auth%20will%20pass%20through%20to%20your%20ad%20servers%20basically.%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

Dear reader,

 

I'm planning for migrating our env. We will go to a hybrid env. The question i have is about adconnect and the different choices. With password has sync a copy of th eusers password will be maintained in ad. I can understand that when a users is at home at a non domain joined machine he/she will be able to logon to o365. But what happens when you choose passthruoghr sync? A password at azure will not be available, will the same user be able to logon to o365 at a non domain joined machine at home? If he/she can, where does authentication take place? If auth happens on the local ad through adconnect, then what will happen if the local ad is unreachable because of a poweroutage or somthing?

Thanks in advance,

best regards Ruud  Boersma

2 Replies
Highlighted
Solution

They will not be able to authenticate. For this reason, it's recommended to configure Password-hash sync as a fallback option, but that process is not automatic, so have that in mind. 

Highlighted
As Vasil said if it’s down they cannot login. Basically you get an agent of sorts that azuread connects back to do the auth onprem.

As for users at home it will work fine long as your onprem AD is online as the auth will pass through to your ad servers basically.