Password Hash Sync – You Already Trust Microsoft with Your Data so Why not Trust Them with the Authentication as Well?

Many organizations still use AD FS to federate with Azure AD and the Microsoft cloud services even though Microsoft has recommended to move to a more modern authentication approach for some time now. Until passwords are all gone we need to manage them and I will explain why Password Hash Sync is the way to go.


Basically there are four ways to do it, sorted from on-prem to cloud only.

AD FS requires multiple on-prem servers configured for fail-over, backup, certificates, and more. If AD FS breaks you need to bring in a ninja AD FS consultant who can understand the complicated language of AD FS logs and error messages and then do something about it.

The opposite is to live only in the cloud, store your passwords only in the cloud and authenticate only to the cloud. This removes the on-prem dependency and you only have to manage the password in Azure AD.

However, most organizations stil depend on some on-prem services and that’s where PTA (Pass-Through Authentication) and PHS (Password Hash Synchronization) comes in. PTA uses on-prem agents to fetch user authentications from a queue in Azure AD. No inbound connections are ever established, only outbound from on-prem, and this makes this solution more secure than AD FS. You still depend on your local internet connection but the authentication itself is made from local agents towards local domain controllers and this is important to many organizations. They want everything in local log files.

Okej, but you already trust Microsoft with your data so why not trust them with the authentication as well? This is where PHS comes in. Your Azure AD Connect server, which already sits there and synchronizes your users and devices, can also sync passwords to the cloud. Well, actually the hash of a password hash is synced over HTTPS and the whole thing is extremely secure.

Read more on how it works here.

The important thing with PHS is that you can still use your local AD to manage users and passwords but you cut the dependency to local infrastructure when the authentication happens. Your users will reach cloud services even though your local internet connection goes down. You won’t need to manage AD FS servers and instead you get password management as a service just like the rest of your cloud stuff.

As a bonus you can switch on password writeback and let your users use services like Self-Service Password Reset in the cloud. This in turn opens up for Azure AD Password Protection to block weak (read stupid) passwords like Password123!

I believe that all organisations should think again on how they authenticate to the Microsoft cloud and pick a modern alternative and then focus their energy on more important stuff than password management. Passwords are going away anyway.

Please follow me here, on LinkedIn and on Twitter.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s