Password Hash Sync enable - any immediate issues when enabling

Hello justletmelogin50,

Hope when you mentioned enabling PSH, Its just about synchronizing passwords to EntraID.

This shouldn't have any impact to my understanding.

There are few areas to be looked at when switching the authentication from ADFS to EntraID (Federated to Managed), which would be your ultimate goal.

1) If you have fine grained password policies deployed with different password age, You need to have a detailed. EntraID supports password polices based on the custom domain. Which means, All users in your tenant can have a global value for password age on expiry or a subset of users from the custom domain can have their own password age on expiry using custom password policy. While the FGPP has multiple option to narrow down into granular levels, for example based on OU or based on group members.

2) Account Level Expiry - While authentication happens at onprem side, Account level expiry is honored. But this attribute is not getting synchronized to cloud. This will cause accounts set with account level expiry continue to login using EntraID even after crossing the set expiry date on the On premised AD account expiry date.

3) Applications registered with Entra ID. For applications registered in Entra ID for SSO, ADFS is capable of handling most of the modern authentication protocols. However, there are some protocols like ws-fed which are not supported while switching authentication through EntraID. Hence, you should be referring back to the ADFS logs and identify the applications consuming ws-fed and get them changed to OAUTH or SAML before switching the authentication through Entra ID.

The good part is EntraID supports staged rollout. So fist do proper analysis using smaller groups first before doing the final cutover.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-staged-rollout

Good luck !

Shaba