TechNet Blog , Azure AD Sync FAQ

By deploying password sync in your environment, you enable your users to use the same password they are using to logon to your on-premises Active Directory to logon to Azure Active Directory.

The objective of this topic is to provide you with the information you need to understand the password sync feature and how to enable it in your environment.

Password Sync is a feature of the Azure Active Directory Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure Active Directory (“Azure AD”). This feature enables your users to log into their Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password as they use to log into your on-premises network. It is important to note that this feature does not provide a Single Sign-On (SSO) solution because there is no token sharing / exchange in the Password Sync based process.

Active Directory Domain Services that are configured for FIPS are not compatible with the Password Sync feature.

Any customer of Azure Active Directory is eligible to run Password Sync. See below for information on the compatibility of Password Sync and other features such as Federated Authentication.

You must be running version 6382.0000 or greater of the Directory Sync tool in order to enable the Password Sync feature (version is available on the .exe installer download). The latest version of the Directory Sync tool can be downloaded from the Admin Portal.

Password Sync is an extension to the directory synchronization feature implemented by the Directory Sync tool. As a consequence of this, this feature requires directory synchronization between your on-premises and your Azure Active Directory to be configured.

The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reversed in order to gain access to the user’s plaintext password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service. The actual data flow of the password synchronization process is similar to the synchronization of user data such as DisplayName or Email Addresses.

Passwords are synchronized more frequently than the standard Directory Sync window for other attributes. The Password Sync feature checks every two minutes whether passwords need to be synchronized. Passwords are synchronized on a per-user basis and are generally synchronized in chronological order. When a user’s password is synchronized from the on-premises AD to the cloud, the existing cloud password will be overwritten.

When you first enable the Password Sync feature in your DirSync tool, it will perform an initial synchronization of the passwords of all in-scope users from your on-premises Active Directory to Azure Active Directory. You cannot explicitly define the set of users that will have their passwords synchronized to the cloud. Subsequently, when an on-premises user changes their password, the Password Sync feature will detect and synchronize the changed password, most often in a matter of minutes. The Password Sync feature will automatically retry failed user password syncs. If an error occurs during an attempt to synchronize a password the error is logged in your event viewer.

The synchronization of a password has no impact on currently logged on users. If a user that is logged into a cloud service also changes their on-premise password, the cloud service session will continue uninterrupted. However, as soon as the cloud service attempts requires the user to re-authenticate, the new password needs to be provided. At this point, the user is required to provide the new password – the password that has been recently synchronized from the on-premise Active Directory to the cloud.

When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services.

Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer’s on-premises environment.

There are 2 types of password policies that are affected by enabling password sync:

  1. Password Complexity Policy
  2. Password Expiration Policy

When you enable password sync, the password complexity policies configured in the on-premises Active Directory override any complexity policies that may be defined in the cloud for synchronized users. This means any password that is valid in the customer’s on-premises Active Directory environment can be used for accessing Azure AD services.

Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

If a user is in the scope of the password sync feature, the cloud account password is set to “Never Expire”. This means that it is possible for a user’s password to expire in the on-premises environment, but they can continue to log into cloud services using this expired password.

The cloud password will be updated the next time the user changes the password in the on-premises environment.

The password sync feature will not synchronize passwords for users with Federated Identities. This has several implications:

  • If an initially managed user with a password that has been synchronized to the cloud is converted to a federated user and then converted back to a managed user, the password that was initially synchronized is lost.
  • If an initially federated user that has updated a password on-premises is converted to a managed user, the password will not be synchronized to the cloud. As a consequence of this, the user will not be able to use the password that has been set in the on-premises environment to log into cloud services.

An administrator can manually reset a user’s password using the Azure Active Directory PowerShell.

In this case, the new password will override the user’s synchronized password and all password policies defined in the cloud will apply to the new password.

If the user changes the on-premises password again, the new password will be synchronized to the cloud, and will override the manually updated password.

Your Azure Active Directory tenant must be enabled for Directory Synchronization before the tenant can be enabled for Password Synchronization.

You enable Password Sync when running the Directory Sync tool Configuration Wizard.

When prompted by the Wizard, select the “Enable Password Synchronization” checkbox.

This process will trigger a full synchronization. Full synchronization cycles generally take longer than other sync cycles to complete.

You can monitor the progress of Password Sync through the event log of the machine that is running the Directory Sync tool.

You can determine which users have successfully had their passwords synchronized by reviewing the events that match the following criteria:

Source Event ID
Directory Synchronization 656
Directory Synchronization 657

The events with the Event ID 656 provide a report of processed password change requests:

Event ID 656The corresponding events with the ID 657 provide the result for these requests:

Event ID 657In the events, the affected objects are identified by their anchor and the DN value. The anchor value corresponds to the ImmutableId value that is returned for a user by the Get-MsoUser cmdlet.

In addition to the object identifiers, Event ID 656 provides the date the user’s password was changed in the on-premises Active Directory::

Password Change RequestEvent ID 657 has a Result field in addition to the source object identifiers to indicate the status of synchronization for that user object.

A successfully synchronized password is in an event with the Event ID 657 indicated by a value of Success for the Result attribute. When a password synchronization attempt failed, the value of the Result attribute is Failure:

Password Change Result

You disable Password Sync by re-running the Directory Sync tool Configuration Wizard.

When prompted by the Wizard, de-select the “Enable Password Synchronization” checkbox.

This process will trigger a full synchronization. Full synchronization cycles generally take longer than other sync cycles to complete.

After running the Configuration Wizard, your tenant will no longer be synchronizing passwords. New password changes will not synchronize to the cloud. Users that previously had their passwords synchronized will be able to continue logging in with those passwords until they manually change their passwords in the cloud.