Implement password hash synchronization with Azure AD Connect sync - Microsoft Entra (2023)

  • Article
  • 14 minutes to read

This article provides information that you need to synchronize your user passwords from an on-premises Active Directory instance to a cloud-based Azure Active Directory (Azure AD) instance.

How password hash synchronization works

The Active Directory domain service stores passwords in the form of a hash value representation, of the actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password.

To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and in chronological order.

The actual data flow of the password hash synchronization process is similar to the synchronization of user data. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.

The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the Set-ADSyncAADPasswordSyncConfiguration cmdlet.

When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes.The password hash synchronization feature automatically retries failed synchronization attempts. If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.

The synchronization of a password has no impact on the user who is currently signed in.Your current cloud service session is not immediately affected by a synchronized password change that occurs, while you are signed in, to a cloud service. However, when the cloud service requires you to authenticate again, you need to provide your new password.

A user must enter their corporate credentials a second time to authenticate to Azure AD, regardless of whether they're signed in to their corporate network. This pattern can be minimized, however, if the user selects the Keep me signed in (KMSI) check box at sign-in. This selection sets a session cookie that bypasses authentication for 180 days. KMSI behavior can be enabled or disabled by the Azure AD administrator. In addition, you can reduce password prompts by turning on Seamless SSO, which automatically signs users in when they are on their corporate devices connected to your corporate network.


Password sync is only supported for the object type user in Active Directory. It is not supported for the iNetOrgPerson object type.

Detailed description of how password hash synchronization works

The following section describes, in-depth, how password hash synchronization works between Active Directory and Azure AD.

  1. Every two minutes, the password hash synchronization agent on the AD Connect server requests stored password hashes (the unicodePwd attribute) from a DC. This request is via the standard MS-DRSR replication protocol used to synchronize data between DCs. The service account must have Replicate Directory Changes and Replicate Directory Changes All AD permissions (granted by default on installation) to obtain the password hashes.
  2. Before sending, the DC encrypts the MD4 password hash by using a key that is a MD5 hash of the RPC session key and a salt. It then sends the result to the password hash synchronization agent over RPC. The DC also passes the salt to the synchronization agent by using the DC replication protocol, so the agent will be able to decrypt the envelope.
  3. After the password hash synchronization agent has the encrypted envelope, it uses MD5CryptoServiceProvider and the salt to generate a key to decrypt the received data back to its original MD4 format. The password hash synchronization agent never has access to the clear text password. The password hash synchronization agent’s use of MD5 is strictly for replication protocol compatibility with the DC, and it is only used on-premises between the DC and the password hash synchronization agent.
  4. The password hash synchronization agent expands the 16-byte binary password hash to 64 bytes by first converting the hash to a 32-byte hexadecimal string, then converting this string back into binary with UTF-16 encoding.
  5. The password hash synchronization agent adds a per user salt, consisting of a 10-byte length salt, to the 64-byte binary to further protect the original hash.
  6. The password hash synchronization agent then combines the MD4 hash plus the per user salt, and inputs it into the PBKDF2 function. 1000 iterations of the HMAC-SHA256 keyed hashing algorithm are used. For additional details, refer to the Azure AD Whitepaper.
  7. The password hash synchronization agent takes the resulting 32-byte hash, concatenates both the per user salt and the number of SHA256 iterations to it (for use by Azure AD), then transmits the string from Azure AD Connect to Azure AD over TLS.
  8. When a user attempts to sign in to Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.


The original MD4 hash is not transmitted to Azure AD. Instead, the SHA256 hash of the original MD4 hash is transmitted. As a result, if the hash stored in Azure AD is obtained, it cannot be used in an on-premises pass-the-hash attack.

(Video) Identity Architecture: Password Hash Synchronization | Azure Active Directory

Security considerations

When synchronizing passwords, the plain-text version of your password is not exposed to the password hash synchronization feature, to Azure AD, or any of the associated services.

User authentication takes place against Azure AD rather than against the organization's own Active Directory instance. The SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack.

Password policy considerations

There are two types of password policies that are affected by enabling password hash synchronization:

  • Password complexity policy
  • Password expiration policy

Password complexity policy

When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.


Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

Password expiration policy

If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.


If there are synchronized users that only interact with Azure AD integrated services and must also comply with a password expiration policy, you can force them to comply with your Azure AD password expiration policy by enabling the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature.

When EnforceCloudPasswordPolicyForPasswordSyncedUsers is disabled (which is the default setting), Azure AD Connect sets the PasswordPolicies attribute of synchronized users to "DisablePasswordExpiration". This is done every time a user's password is synchronized and instructs Azure AD to ignore the cloud password expiration policy for that user. You can check the value of the attribute using the Azure AD PowerShell module with the following command:

(Get-AzureADUser -objectID <User Object ID>).passwordpolicies

To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, run the following command using the MSOnline PowerShell module as shown below. You would have to type yes for the Enable parameter as shown below :

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUserscmdlet Set-MsolDirSyncFeature at command pipeline position 1Supply values for the following parameters:Enable: yesConfirmContinue with this operation?[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

Once enabled, Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.

(Video) How to configure selective Password Hash Synchronization

After the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature is enabled, new users are provisioned without a PasswordPolicies value.

It is recommended to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers prior to enabling password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration value to the PasswordPolicies attribute for the users.

The default Azure AD password policy requires users to change their passwords every 90 days. If your policy in AD is also 90 days, the two policies should match. However, if the AD policy is not 90 days, you can update the Azure AD password policy to match by using the Set-MsolPasswordPolicy PowerShell command.

Azure AD supports a separate password expiration policy per registered domain.

Caveat: If there are synchronized accounts that need to have non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute of the user object in Azure AD. You can do this by running the following command.

Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"


For hybrid users that have a PasswordPolicies value set to DisablePasswordExpiration, this value switches to None after a password change is executed on-premises.


The Set-MsolPasswordPolicy PowerShell command will not work on federated domains.


The Set-AzureADUser PowerShell command will not work on federated domains.

Synchronizing temporary passwords and "Force Password Change on Next Logon"

It is typical to force a user to change their password during their first logon, especially after an admin password reset occurs. It is commonly known as setting a "temporary" password and is completed by checking the "User must change password at next logon" flag on a user object in Active Directory (AD).

(Video) Migrate from ADFS to Password Hash Sync with Azure AD Connect

The temporary password functionality helps to ensure that the transfer of ownership of the credential is completed on first use, to minimize the duration of time in which more than one individual has knowledge of that credential.

To support temporary passwords in Azure AD for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature, by running the following command on your Azure AD Connect server:

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true


Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.

If the user has the option "Password never expires" set in Active Directory (AD), the force password change flag will not be set in Active Directory (AD), so the user will not be prompted to change the password during the next sign-in.


You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.

Account expiration

If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. We recommend using a scheduled PowerShell script that disables users' AD accounts, once they expire (use the Set-ADUser cmdlet). Conversely, during the process of removing the expiration from an AD account, the account should be re-enabled.

Overwrite synchronized passwords

An administrator can manually reset your password by using Windows PowerShell.

In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.

If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.

The synchronization of a password has no impact on the Azure user who is signed in. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI extends the duration of this difference. When the cloud service requires you to authenticate again, you need to provide your new password.

Additional advantages

  • Generally, password hash synchronization is simpler to implement than a federation service. It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
  • Password hash synchronization can also be enabled in addition to federation. It may be used as a fallback if your federation service experiences an outage.

Password hash sync process for Azure AD Domain Services

If you use Azure AD Domain Services to provide legacy authentication for applications and services that need to use Kerberos, LDAP, or NTLM, some additional processes are part of the password hash synchronization flow. Azure AD Connect uses the additional following process to synchronize password hashes to Azure AD for use in Azure AD Domain Services:

(Video) Azure AD Connect & Password Hash Synchronization (PHS)


Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Azure AD Connect in an Azure AD DS managed domain to synchronize objects back to Azure AD.

Azure AD Connect only synchronizes legacy password hashes when you enable Azure AD DS for your Azure AD tenant. The following steps aren't used if you only use Azure AD Connect to synchronize an on-premises AD DS environment with Azure AD.

If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Azure AD DS. For more information, see Disable weak cipher suites and NTLM credential hash synchronization.

  1. Azure AD Connect retrieves the public key for the tenant's instance of Azure AD Domain Services.
  2. When a user changes their password, the on-premises domain controller stores the result of the password change (hashes) in two attributes:
    • unicodePwd for the NTLM password hash.
    • supplementalCredentials for the Kerberos password hash.
  3. Azure AD Connect detects password changes through the directory replication channel (attribute changes needing to replicate to other domain controllers).
  4. For each user whose password has changed, Azure AD Connect performs the following steps:
    • Generates a random AES 256-bit symmetric key.
    • Generates a random initialization vector needed for the first round of encryption.
    • Extracts Kerberos password hashes from the supplementalCredentials attributes.
    • Checks the Azure AD Domain Services security configuration SyncNtlmPasswords setting.
      • If this setting is disabled, generates a random, high-entropy NTLM hash (different from the user's password). This hash is then combined with the exacted Kerberos password hashes from the supplementalCrendetials attribute into one data structure.
      • If enabled, combines the value of the unicodePwd attribute with the extracted Kerberos password hashes from the supplementalCredentials attribute into one data structure.
    • Encrypts the single data structure using the AES symmetric key.
    • Encrypts the AES symmetric key using the tenant's Azure AD Domain Services public key.
  5. Azure AD Connect transmits the encrypted AES symmetric key, the encrypted data structure containing the password hashes, and the initialization vector to Azure AD.
  6. Azure AD stores the encrypted AES symmetric key, the encrypted data structure, and the initialization vector for the user.
  7. Azure AD pushes the encrypted AES symmetric key, the encrypted data structure, and the initialization vector using an internal synchronization mechanism over an encrypted HTTP session to Azure AD Domain Services.
  8. Azure AD Domain Services retrieves the private key for the tenant's instance from Azure Key vault.
  9. For each encrypted set of data (representing a single user's password change), Azure AD Domain Services then performs the following steps:
    • Uses its private key to decrypt the AES symmetric key.
    • Uses the AES symmetric key with the initialization vector to decrypt the encrypted data structure that contains the password hashes.
    • Writes the Kerberos password hashes it receives to the Azure AD Domain Services domain controller. The hashes are saved into the user object's supplementalCredentials attribute that is encrypted to the Azure AD Domain Services domain controller's public key.
    • Azure AD Domain Services writes the NTLM password hash it received to the Azure AD Domain Services domain controller. The hash is saved into the user object's unicodePwd attribute that is encrypted to the Azure AD Domain Services domain controller's public key.

Enable password hash synchronization


If you are migrating from AD FS (or other federation technologies) to Password Hash Synchronization, we highly recommend that you follow our detailed deployment guide published here.

When you install Azure AD Connect by using the Express Settings option, password hash synchronization is automatically enabled. For more information, see Getting started with Azure AD Connect using express settings.

If you use custom settings when you install Azure AD Connect, password hash synchronization is available on the user sign-in page. For more information, see Custom installation of Azure AD Connect.

Implement password hash synchronization with Azure AD Connect sync - Microsoft Entra (2)

Password hash synchronization and FIPS

If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 is disabled.

To enable MD5 for password hash synchronization, perform the following steps:

  1. Go to %programfiles%\Microsoft Azure AD Sync\Bin.
  2. Open miiserver.exe.config.
  3. Go to the configuration/runtime node at the end of the file.
  4. Add the following node: <enforceFIPSPolicy enabled="false"/>
  5. Save your changes.
  6. Reboot for the changes to take effect.

For reference, this snippet is what it should look like:

 <configuration> <runtime> <enforceFIPSPolicy enabled="false"/> </runtime> </configuration>

For information about security and FIPS, see Azure AD password hash sync, encryption, and FIPS compliance.

Troubleshoot password hash synchronization

If you have problems with password hash synchronization, see Troubleshoot password hash synchronization.

(Video) Azure AD - AD Connect - configure Password Hash Synchronization - Identity & Access management V 3

Next steps


What is password hash synchronization with Azure AD? ›

Password Hash Synchronization (PHS) is a feature of Azure AD Connect – it is the easiest authentication option to implement and it is the default. The way PHS works is that whenever a password is changed on premises, the password hash from Active Directory is synchronized into Azure AD.

How to troubleshoot password synchronization when using an Azure AD Sync Appliance? ›

To resolve this issue, re-enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.

How do I force password sync with Azure AD Connect? ›

Run Invoke-ADSyncDiagnostics -PasswordSync to check that Password Hash Synchronization is enabled and synced. Give it five or ten minutes before you sign in Microsoft 365 admin center. Check under Azure AD Connect that Password sync shows as recent synchronization. That's it!

How do you implement password hash synchronization? ›

To enable MD5 for password hash synchronization, perform the following steps:
  1. Go to %programfiles%\Microsoft Azure AD Sync\Bin.
  2. Open miiserver.exe. ...
  3. Go to the configuration/runtime node at the end of the file.
  4. Add the following node: <enforceFIPSPolicy enabled="false"/>
  5. Save your changes.

How to synchronize passwords between two Active Directory domains? ›

How to link accounts manually
  1. Log in to the ADSelfService Plus user portal.
  2. Go to Application.
  3. Click on the enterprise application with which they want to link their AD account.
  4. Provide their credentials for that user account.
  5. Provide the username and password of their account in Domain B to link both accounts.

What is Azure AD Connect Sync? ›

Azure AD Connect Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD Cloud provisioning agent instead of the Azure AD Connect application.

What is the difference between Azure AD pass-through authentication and Azure AD password hash sync? ›

Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.

How does password hash authentication work? ›

Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm. If a website is hacked, cyber criminals don't get access to your password. Instead, they just get access to the encrypted “hash” created by your password.

How do I fix Azure AD Connect sync errors? ›

To resolve this issue:
  1. Remove the Azure AD account (owner) from all admin roles.
  2. Hard delete the quarantined object in the cloud.
  3. The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a Hybrid Identity Administrator.
Jan 19, 2023

How do I fix my Azure AD sync problem? ›

Run the troubleshooting task in the wizard

Start the Azure AD Connect wizard. Navigate to the Additional Tasks page, select Troubleshoot, and click Next. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.

Which three authentication methods can Azure Active Directory users use to reset their password? ›

The following authentication methods are available for SSPR: Mobile app notification. Mobile app code. Email.

How do I know if password hash sync is enabled? ›

Run Azure AD Connect, and then select View current configuration. In the details pane, check whether Password synchronization is enabled on your tenant.

How do I get my passwords to sync? ›

Manage offers to save passwords
  1. On your Android phone or tablet, open your device's Settings app .
  2. Tap Google. Manage your Google Account.
  3. At the top, scroll right.
  4. Tap Security.
  5. Scroll down to 'Signing in to other sites'.
  6. Tap Password Manager Settings .
  7. Turn Offer to save passwords on or off.

Which tool can you use to synchronize active AD passwords with on-premises Active Directory? ›

To synchronize a password, Azure AD Connect sync extracts the user's password hash from the on-premises Active Directory.

Which is the best implementation approach for password verification? ›

13 best practices for user account, authentication, and password management
  • Validate the user's identity. ...
  • Allow users to change their username. ...
  • Let your users delete their accounts. ...
  • Make a conscious decision on session length. ...
  • Use 2-Step Verification. ...
  • Make user IDs case-insensitive. ...
  • Build a secure auth system.
May 6, 2021

What is password hashing with example? ›

Password hashing is defined as putting a password through a hashing algorithm (bcrypt, SHA, etc) to turn plaintext into an unintelligible series of numbers and letters.

What hashing algorithm should I use for passwords? ›

To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.

Which tool can you use to synchronize Azure AD passwords with on premises Active Directory? ›

Azure Active Directory Connect cloud sync can synchronize Azure AD password changes in real time between users in disconnected on-premises Active Directory Domain Services (AD DS) domains.

Why are my passwords not syncing between devices? ›

Enable Passwords Sync

Make sure that the switch next to Passwords is turned on. The process is quite similar on the mobile versions of Chrome—go to Chrome menu > Settings > Sync and Google Services > Manage Sync, and ensure that Passwords syncing is enabled.

How do I manually sync Active Directory? ›

To manually run synchronization with the Active Directory domain controller:
  1. In the application web interface, select the Settings → External services → LDAP server connection section.
  2. Click Synchronize now.

What is the difference between AD Sync and AD Connect? ›

Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.

How do you check if Azure AD Connect is syncing? ›

Verifying Azure AD Connect in the Azure AD Admin Center

First, log in to the portal. Then, go to Azure Active Directory —> Azure AD Connect. Under the Azure AD Connect sync section, you should see the current status of the directory sync.

Why use Azure AD Sync? ›

Why use Azure AD Connect? Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources.

What happens when I switch from pass through authentication to password hash synchronization? ›

After switching to PHS, we no longer have a direct connection between the two directories. Now it is “just synchronized” and the authentication on the AAD is completely independent of the AD.

Which three authentication methods can be used by Azure multi-factor authentication? ›

Available verification methods

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication: Microsoft Authenticator app. Windows Hello for Business. FIDO2 security key.

What are the two types of authentication Microsoft Azure Active Directory uses? ›

How each authentication method works
MethodPrimary authenticationSecondary authentication
Microsoft Authenticator appYesMFA and SSPR
FIDO2 security keyYesMFA
Certificate-based authentication (preview)YesNo
OATH hardware tokens (preview)NoMFA and SSPR
5 more rows
Sep 7, 2022

What are the three most widely used hashing authentication methods? ›

There are many different types of hash algorithms such as RipeMD, Tiger, xxhash and more, but the most common type of hashing used for file integrity checks are MD5, SHA-2 and CRC32.

Can hashed passwords be hacked? ›

Hacking a hashed password

Hashed passwords are a great way to fight off potential hackers, but it doesn't make it impossible for them to gain access. If a system uses a properly designed algorithm to create a hashed password, chances of hacking are extremely low.

How secure is password hash sync? ›

Microsoft is committed to protecting your privacy, and it's important to note that the SHA256 hash cannot be decrypted—so the plain-text version of the password is never and can never be exposed to Microsoft.

How do I force AD synchronization? ›

Use the following steps to force a remote synchronization of AD and Azure:
  1. Use the Enter-PSSession command to connect to your Azure AD Connect server.
  2. Perform a delta synchronization using the Start-ADSyncSyncCycle command.
  3. Exit the PSSession to kill the connection to your Azure AD Connect server.

Why is my Microsoft Sync not working? ›

If you're having problems with syncing, you can try running the Microsoft Accounts troubleshooter on the desktop computer and check the status. It's an automated tool that can find and automatically fix some syncing problems.

How can you fix a single user not syncing with Azure AD? ›

You can perform another useful search by selecting the Azure AD Connector. In the Scope box, select Pending Import, and then select the Add check box. This search gives you all synced objects in Azure AD that cannot be associated with an on-premises object.

How long does aad take to sync? ›

Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.

How do I fix sync settings? ›

To check the sync settings, see below:
  1. Open Start, and then click on Settings.
  2. Click on Accounts.
  3. Under Accounts, click on Sync your settings.
  4. Check if Sync settings is turned On. If not, click on the switch to turn it on.
Jan 15, 2016

How do you fix an AD replication problem? ›

If AD DS cannot be removed normally while the server is connected to the network, use one of the following methods to resolve the problem:
  1. Force AD DS removal in Directory Services Restore Mode (DSRM), clean up server metadata, and then reinstall AD DS.
  2. Reinstall the operating system, and rebuild the domain controller.
Apr 4, 2022

What is password hash sync in Azure AD? ›

Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

Which of the following authentication method validates the password on Azure AD? ›

Federated authentication

When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user's password.

What are the three 3 main types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

How often does Azure AD Connect sync passwords? ›

@Bar076 If there has not been any password change then it happens at 30 mins interval. If there is a password change, it syncs that up in 2 minutes.

How to configure password hash sync? ›

To enable PHS, go to your Azure AD Connect server and start the wizard. Select the Customize synchronization options and click next. Next, log-in using your admin credentials and go to the Optional Features section. Make sure that Password hash synchronization is enabled and finish the wizard.

What does it mean to sync your password? ›

Password synchronization is the process of assigning and maintaining one password for all individual accounts that a user owns. Password synchronization reduces the number of passwords that a user must remember. You must be a system administrator to enable password synchronization.

What does resync password mean? ›

If you find that your NetID password is working for some systems but not others, it may be useful to try a password resync. This means that you will change your password to the same thing that it is currently set to so that your current password is sent to all systems.

How do you sync a password in Windows 10? ›

How to change / set a password in Windows 10
  1. Click the Start button at the bottom left of your screen.
  2. Click Settings from the list to the left.
  3. Select Accounts.
  4. Select Sign-in options from the menu.
  5. Click on Change under Change your account password.
Dec 16, 2022

Should I enable password hash synchronization? ›

Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one. Enabling password hash synchronization also allows for leaked credential reporting.

How do I enable sync on my Azure AD? ›

Right-click the on-premises AD Connector and select Run. In the pop-up dialog box, select Full Synchronization and then click OK.


1. What is Password Hash Synchronization | How Password Hash Sync works | What is Password Hash
(Office 365 Concepts)
2. Password hash synchronization-Microsoft Azure Cloud-Hybrid Identity
(Cloud World)
3. How to fix Azure AD Connect Event Error Code 611
4. How to choose the right authentication option in Azure Active Directory
(Microsoft Azure)
5. Azure Active Directory, Entra & Hybrid Identities in Microsoft Education
(Tyler Duncan)
6. Azure AD Connect Configuration | How it Syncs User to Office 365?
(Ajey Gupta)
Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated: 01/25/2023

Views: 6360

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.