Saturday, 13 Jul 2024

Implement Password Hash Synchronization with Microsoft Entra Connect Sync

password hash sync

This article provides valuable information on how to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance. Implementing password hash synchronization is a crucial step in ensuring a seamless and secure authentication process for your users.

How Password Hash Synchronization Works

The Active Directory domain service stores passwords in the form of a hash value representation, making it nearly impossible to reverse engineer the original password. To synchronize your password, Microsoft Entra Connect Sync extracts your password hash from the on-premises Active Directory instance and applies extra security processing before synchronizing it to the Microsoft Entra authentication service. The synchronization occurs on a per-user basis and in chronological order.

The synchronization process runs every 2 minutes, ensuring that any changes to passwords are updated rapidly. It’s important to note that the synchronization of a password does not immediately affect the user who is currently signed in. However, when the cloud service requires authentication, the user needs to provide their new password.

password hash synchronization process

Additional Advantages

Password hash synchronization offers several advantages over other authentication methods:

  • Simplicity: Implementing password hash synchronization is simpler compared to a federation service. It does not require additional servers or reliance on a highly available federation service.
  • Fallback Option: Password hash synchronization can be enabled alongside federation as a fallback option in case of an outage or other issues with the federation service.
Tham Khảo Thêm:  Eireview: Exploring Hogwarts Legacy Polyjuice Plot and Black Family Motto Password

Detailed Description of How Password Hash Synchronization Works

The password hash synchronization process involves several steps to ensure the secure transmission of password hashes between Active Directory and Microsoft Entra ID:

  1. Every two minutes, the password hash synchronization agent on the AD Connect server requests stored password hashes from a domain controller.
  2. The domain controller encrypts the MD4 password hash using a key that is a MD5 hash of the RPC session key and a salt. It then sends the encrypted hash to the synchronization agent.
  3. The synchronization agent decrypts the encrypted hash using the MD5 key and generates a 64-byte binary password hash by adding a per-user salt for added protection.
  4. The synchronization agent applies the PBKDF2 function using the generated hash and the per-user salt, ensuring a secure and unique hash for each user.
  5. The resulting hash, along with the per-user salt and the number of SHA256 iterations, is transmitted to Microsoft Entra ID over a secure TLS connection.
  6. When a user attempts to sign in to Microsoft Entra ID, their password goes through the same hashing process. If the resulting hash matches the stored hash in Microsoft Entra ID, the user is authenticated.

Security Considerations

When synchronizing passwords, the plain-text version of your password is not exposed to the password hash synchronization feature, Microsoft Entra ID, or any associated services. User authentication takes place against Microsoft Entra, providing a more secure environment than the organization’s own Active Directory instance. The SHA256 password data stored in Microsoft Entra ID cannot be decrypted, preventing pass-the-hash attacks.

Password Policy Considerations

Enabling password hash synchronization affects two password policies:

Tham Khảo Thêm:  Eireview - Extractive Industries Review

Password Complexity Policy

When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all valid passwords from your on-premises Active Directory instance to access Microsoft Entra services.

Password Expiration Policy

By default, the cloud account password for synchronized users is set to “Never Expire.” You can continue to sign in to your cloud services using a synchronized password that has expired in your on-premises environment. Your cloud password is updated the next time you change your on-premises password.

If you need synchronized users to comply with a password expiration policy defined in Microsoft Entra, you can enable the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature. This forces synchronized users to comply with the Microsoft Entra password expiration policy.

For detailed information on configuring password policies, refer to the Microsoft Entra documentation.

Overwrite Synchronized Passwords

An administrator can manually reset your password directly in Microsoft Entra ID using PowerShell (except for users in federated domains). In this case, the manually updated password overrides your synchronized password, subjecting it to all password policies defined in the cloud.

If you change your on-premises password again, the new password is synchronized to the cloud, overriding the manually updated password.

Enable Password Hash Synchronization

When you install Microsoft Entra Connect using the Express Settings option, password hash synchronization is automatically enabled. If you opt for a custom installation, password hash synchronization is available on the user sign-in page.

Tham Khảo Thêm:  How to Secure Your WhatsApp Account: Change Your Password and More!

Troubleshoot Password Hash Synchronization

If you encounter any issues with password hash synchronization, refer to the troubleshooting guide provided by Microsoft Entra.

Frequently Asked Questions

Q: Can I synchronize a subset of user passwords?

A: Unfortunately, you cannot explicitly define a subset of user passwords for synchronization. However, you can disable password hash synchronization for specific connectors using the Set-ADSyncAADPasswordSyncConfiguration cmdlet.

Q: How often does the password hash synchronization process run?

A: The password hash synchronization process runs every 2 minutes, ensuring rapid updates to password changes.

Q: What happens if an error occurs during password synchronization?

A: If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer. The password hash synchronization feature automatically retries failed synchronization attempts.

Q: How does password hash synchronization impact user sessions?

A: Synchronizing a password does not immediately affect the user’s current cloud service session. The user is required to provide their new password when the cloud service prompts for authentication.


Implementing password hash synchronization is a crucial step in ensuring a secure and seamless authentication process for your users. By following the steps outlined in this article, you can synchronize user passwords from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance effectively.

For more information and resources on Microsoft Entra Connect Sync and integrating on-premises identities with Microsoft Entra ID, please visit Eireview.

Remember to regularly review and update your password policies to maintain a strong security posture.