Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. AAD Connect has maintained its popularity since the time it was upgraded from DirSync and AAD sync due to the feature and controls it provides to the administrator of a small or big organization. But in this blog, we are going to focus on Azure Active Directory Password Hash Sync and the authentication methods supported by AAD Connect.
There are two basic types of authentication:
Cloud authentication: Azure AD
handles here sign-in process; also, it can provide SSO feature. It includes two
Password Hash Synchronization
Federated authentication: In this
Azure Ad hands off the authentication process to a separated trusted
authentication system, for example, ADFS (Active Directory Federation
Services), Ping Fed, or any other federation provider.
Password Hash Synchronization: As the name suggests
in this method, the on-premise account password is synchronized in the form of
hash to Azure AD. But it is not that simple, and we will learn how password
hash sync works:-
Firstly, the password hash sync cycle runs in every
The Password hash synchronization agent
initiates a request to DC asking for stored password hashes (Unicode Pwd
attribute), and this request is via MS-DRSR (Directory Replication Service
remote protocol) which is commonly used to data replication between DCs. We can
also specify in MIIS client of AAD Connect that with which DC, AAD agent needs
In response to that DC encrypt password hash
(MD4) with the MD5 hash of RPC session + salt and send the result to password
hash synchronization agent and salt over RPC, which will be decrypted by
password hash synchronization agent.
Once password hash synchronization agent
receives the encrypted envelope, it uses salt and MD5CryptoServiceProvider to
decrypt the envelope back to MD4 format. MD5 is only used to for replication
protocol compatibility between DC (Domain Controller) and password hash
synchronization agent, which means password hash synchronization agent never
stores or access the password in simple clear text format.
Password hash then perform few conversions to
protect the original hash value:
16-byte binary hash à 32-byte hexadecimal à 64-byte binary hash
(using UTF-16 encoding) à
add 10-byte length salt per user (to make it more secure).
Currently, the password hash is MD4 format.
Password hash synchronization agent then combines MD4 hash and user salt, and
put that value to PBKDF2 function ( Password based cryptography) in which 1000
iterations of HMAC-SHA256 (HMAC is hash-based authentication code and SHA256
is a hash function used in it) hashing algorithm are used.
Now, because of the above action password hash
synchronization agent is left with the result of 32-byte hash. Password hash
synchronization agent then combines (concatenate) the per user salt and number
of SHA256 iteration along with 32-byte hash in the form of a string, which is
transmitted from AAD Connect to Azure AD via TLS.
String will in the format of MD4+salt+PBKDF2+HMAC-SHA256.
Now, Azure AD has the on-premise password (hash
converted). Whenever the user attempts to sign in to Azure AD using his
username and password, the same process will run again which will return a
string (hash) value, and this string value will be matched with the hash string
already stored in Azure AD (which came from AAD Connect). If both the hash
string matches, the user will authenticate else authentication will fail.
Things to consider
Whenever the password hash synchronization is
enabled for the organization, the password complexity of on-premise AD will
override the password complexity of the cloud.
For all users who are in the scope of password
hash synchronization, by default, the account password is set to never expire
for cloud accounts
Account expires attribute of on-premise AD does
not sync to Azure AD, so even if the AD account is expired, the user will still
be able to login to Azure AD. If the administrator wants to set account expiry
for the cloud account, then it must be done manually using Set-AzureADUser
Password synchronization not working
On Office 365 admin portal if you see the error for password
sync not working, do not freak out as it can be resolved by following few easy
Verify that the service account created at the
time of AAD Connect installation should have 2 mandatory permissions, which are
replicate directory changes and replicate directory changes all.
If above permissions are assigned, then we have
triggered the password sync forcefully as well by running the below PowerShell
script on primary AAD Connect server: