Tutorial / Cram Notes
With PHS, when a user changes their password in the on-premises AD, the new password hash – actually a hash of the hash – is synchronized to Azure AD. This allows for users to have the same password on-premises and in the cloud, simplifying the sign-in process without storing the actual password in Azure AD.
How Password Hash Synchronization Works
When a user password is changed or reset on-premises, the following steps occur:
- The on-premises Active Directory hashes the user’s password multiple times with the SHA256 algorithm.
- The resulting hash is then encrypted with a key that only Azure AD knows.
- The encrypted package is sent to Azure AD through the Azure AD Connect tool.
- Azure AD decrypts the package, rehashes it, and stores this rehashed version.
Prerequisites for Implementing PHS
Before setting up PHS, you must have:
- An on-premises Active Directory.
- Azure AD Connect installed and configured to synchronize your directories.
- Proper permissions to manage Azure AD Connect and your on-premises AD.
Steps to Implement PHS
To activate Password Hash Synchronization:
- Launch Azure AD Connect, and in the tasks options, select “Customize synchronization options.”
- Sign in with Azure AD global administrator credentials.
- In the Optional Features screen, select “Password hash synchronization” and continue through the wizard.
Once this is setup, PHS will run approximately every 2 minutes, and any changes in your on-premises AD will be synchronized to Azure AD.
Managing PHS
Managing PHS primarily involves monitoring through Azure AD Connect Health, which reports synchronization activities and provides alerts for any operational issues. You can also force a full synchronization if there are issues or inconsistencies in user passwords between the two environments.
Security Considerations for PHS
Although PHS does involve synchronization of password hashes, it’s worth noting that Azure AD never stores users’ clear text passwords. Also, the synchronized hash cannot be used to authenticate against the on-premises Active Directory, as it undergoes multiple hash transformations making it different from the hash stored in on-premises AD.
It is generally recommended to enable Multi-Factor Authentication (MFA) for additional security, as PHS alone does not prevent all types of password-based attacks.
Considerations When Choosing PHS
When deciding between PHS and other sign-in options such as Pass-through Authentication (PTA) or Federated Authentication, consider the following:
| Feature | PHS | PTA | Federated Authentication |
|---|---|---|---|
| On-premises AD infrastructure | Low | Medium | High |
| Maintenance | Low | Medium | High |
| User Experience | Same password | Same password | Same password |
| Accessibility from Extranet | Yes | Yes | Yes (With additional setup) |
| Azure AD Connect | Required | Required | Required |
| Additional infrastructure | No | Yes | Yes |
| Real-time password validation | No | Yes | Yes |
PHS is often preferred when simplicity and ease of management are priorities, as it does not require as much infrastructure and maintenance as the other options.
Remember, as an Identity and Access Administrator preparing for the SC-300 exam, you should not only understand how to implement and manage PHS, but also be able to compare it with other authentication methods and make the right choice based on the specific requirements of your organization.
Practice Test with Explanation
True or False: Password Hash Synchronization (PHS) allows for on-premises passwords to be synchronized to Azure AD.
- Answer: True
PHS is a feature that synchronizes the hash of a user’s on-premises AD password with Azure AD, allowing for a common credential to be used.
Which of the following are prerequisites for implementing PHS? (Select all that apply)
- A) Azure AD Connect must be installed
- B) An Azure AD Premium license
- C) An on-premises Active Directory
- D) A virtual private network (VPN) connection to Azure
Answer: A, C
Azure AD Connect must be installed to sync the hashes, and an on-premises Active Directory is necessary as the source of the passwords. Azure AD Premium license and VPN are not specific prerequisites for PHS.
True or False: Through Password Hash Synchronization, the actual user passwords are sent directly to Azure AD.
- Answer: False
Only a hash of the password’s hash is synchronized to Azure AD, not the actual passwords.
How often does Azure AD Connect synchronize password hashes by default?
- A) Every 30 seconds
- B) Every 2 minutes
- C) Every 5 minutes
- D) Every 15 minutes
Answer: B
By default, Azure AD Connect will synchronize password hashes every 2 minutes.
True or False: If Password Hash Synchronization is enabled, users must change their password on-premises for the new hash to sync to Azure AD.
- Answer: False
Password hashes are automatically synchronized to Azure AD irrespective of whether a user changes their password or not.
When Password Hash Synchronization is enabled, what happens if Azure AD Connect service is disrupted?
- A) Users cannot authenticate to either on-premises or Azure AD
- B) Users cannot authenticate to Azure AD, but can authenticate to on-premises AD
- C) Authentication for Azure AD and on-premises AD is not affected
- D) None of the above
Answer: B
If the Azure AD Connect service is disrupted, password hash synchronization to Azure AD will pause, affecting the ability for users to authenticate to Azure AD. However, authentication to on-premises AD will still work.
True or False: Password writeback is a feature that can be enabled along with Password Hash Synchronization to allow password changes made in Azure AD to be written back to on-premises AD.
- Answer: True
Password writeback is a feature that can be enabled which allows passwords changed or reset in Azure AD to be written back to the on-premises AD.
In PHS, how is the synchronization of a password hash triggered after a password change on-premises?
- A) Manually by an administrator
- B) Automatically with Azure AD Connect
- C) Using a PowerShell script
- D) At the next scheduled sync time
Answer: B
The synchronization of a new password hash after a password change is automatically done by Azure AD Connect without manual intervention.
True or False: Password Hash Synchronization is not compatible with multi-factor authentication setups.
- Answer: False
Password Hash Synchronization is compatible with multi-factor authentication setups.
Which of the following does Azure AD use to protect password hashes in transit during PHS?
- A) SSL encryption
- B) Kerberos
- C) AES encryption
- D) Plain text transmission
Answer: A
Azure AD uses SSL encryption to protect the password hashes in transit during Password Hash Synchronization.
True or False: After enabling Password Hash Synchronization, it immediately forces a password hash sync for all users.
- Answer: False
Enabling PHS doesn’t immediately force a password hash sync for all users; instead, the hashes are synchronized during the next sync cycle.
When Password Hash Synchronization is enabled, which of the following attributes are synchronized to Azure AD?
- A) Username and password hash only
- B) Password hash and security group memberships
- C) Password hash, security group memberships, and other AD attributes
- D) All attributes including password hashes and any custom attributes
Answer: C
When PHS is enabled, the password hash, security group memberships, and other selected AD attributes specified in Azure AD Connect are synchronized.
Interview Questions
What is Password Hash Synchronization (PHS)?
Password Hash Synchronization (PHS) is a feature of Azure Active Directory (Azure AD) that synchronizes a hash of the on-premises user password to the cloud-based user account.
What are the benefits of using PHS?
The benefits of using PHS include users being able to use the same password to sign in to on-premises and cloud-based applications and simplified identity management for IT administrators.
What is the first step to implement PHS?
The first step to implement PHS is to verify that your on-premises environment is compatible with Azure AD Connect.
What is the second step to implement PHS?
The second step to implement PHS is to install and configure Azure AD Connect on your on-premises environment.
What is the third step to implement PHS?
The third step to implement PHS is to enable Password Hash Synchronization (PHS) in Azure AD Connect.
How can you manage Password Hash Synchronization (PHS)?
To manage Password Hash Synchronization (PHS), you can monitor the synchronization status in Azure AD Connect, verify that synchronization is occurring as expected, and monitor and respond to any synchronization errors.
How can you troubleshoot PHS issues?
To troubleshoot PHS issues, you can check the synchronization status in Azure AD Connect, verify that the on-premises user password is correct, verify that the user account is not locked out or disabled, and verify that the user account is properly licensed for Azure AD.
What is multi-factor authentication and how can it be used with PHS?
Multi-factor authentication is a security feature that requires users to provide two or more forms of identification to access an account. It can be used with PHS for increased security.
How can you ensure that synchronization settings are up-to-date in Azure AD Connect?
You can regularly review and update the synchronization settings in Azure AD Connect to ensure they are up-to-date.
What is the difference between PHS and Pass-through Authentication (PTA)?
PHS synchronizes password hashes to the cloud-based user account, while PTA allows users to sign in to cloud-based applications using their on-premises passwords without storing any passwords in the cloud.
Can PHS be used with on-premises Active Directory (AD)?
Yes, PHS can be used with on-premises AD to synchronize password hashes to Azure AD.
Can PHS be used with all versions of Azure AD?
No, PHS is available in the basic and premium editions of Azure AD.
Can PHS be used with Windows Server 2019?
Yes, PHS can be used with Windows Server 2019.
How often does PHS synchronize password hashes to Azure AD?
By default, PHS synchronizes password hashes to Azure AD every two minutes.
Is it possible to disable PHS after it has been enabled?
Yes, it is possible to disable PHS after it has been enabled by modifying the synchronization settings in Azure AD Connect.
This blog post on implementing and managing Password Hash Synchronization (PHS) was super helpful. Thanks!
Could someone explain how PHS impacts the Azure AD Connect deployment?
What should I do if password hash synchronization is failing continuously?
This is a very technical topic, and the post made it easy to understand. Much appreciated!
Can PHS work with multi-forest environments?
Is it necessary to have password write-back enabled for PHS to work?
Excellent breakdown of the process! Thanks for sharing.
How often does the password hash synchronization occur?