AzureAD Sync password change next logon - Josh Ogden's Wiki

#Azure #Security >[!warning] >The outlined method might not work as expected. Thoroughly review and understand the instructions and implications before implementing. --- ## Solution Overview Hey here's a straightforward guide to ensuring security during password synchronization from on-premises Active Directory (AD) to Microsoft Entra ID. Let’s keep it simple and secure. ⚡️ ### Key Cmdlet ```powershell Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogon $true ``` This command requires users to change their passwords the next time they log in. Critical for security hygiene. --- ## Password Hash Synchronization ### How It Works - **Frequency:** Password hashes sync every 2 minutes. - **Security:** Plaintext passwords aren’t exposed—only hashed values are synchronized. ### Synchronization Process 1. **Request:** A password hash synchronization agent asks for stored password hashes (unicodePwd attribute) from a domain controller (DC). 2. **Encryption:** The DC encrypts the MD4 password hash using an MD5 hash of the RPC session key and a salt. 3. **Transport:** This encrypted data is sent to the sync agent over RPC. 4. **Decryption:** The sync agent decrypts it back to MD4, adds a per-user salt, then runs it through PBKDF2 using HMAC-SHA256. 5. **Transmission:** The resulting hash, plus salt and iteration count, is sent to Microsoft Entra ID over TLS. 6. **Validation:** During user sign-in, the password goes through the same hashing process and matches it against the stored hash in Microsoft Entra ID. ### More Advantages - **Simplicity:** Easier setup compared to federation services. - **Resiliency:** Acts as a fallback if federation services go down. --- ## Security Considerations - **Encrypted Sync:** Plain-text passwords aren’t exposed during synchronization. - **Enhanced Security:** Hashed passwords in Microsoft Entra ID significantly reduce the risk of pass-the-hash attacks. --- ## Password Policy Considerations Here's what you need to know about managing password policies: ### Complexity and Expiration - **On-Premises Rules:** On-premises AD policies override cloud policies for synced users. - **Default Setting:** Cloud account passwords default to “Never Expire” for synchronized users. ### Enforce Cloud Password Policies You can enable cloud password policies for synced users: ```powershell $OnPremSync = Get-MgDirectoryOnPremiseSynchronization $OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true Update-MgDirectoryOnPremiseSynchronization ` -OnPremisesDirectorySynchronizationId $OnPremSync.Id ` -Features $OnPremSync.Features ``` ### Temporary Passwords & Forced Password Changes Enable these features to manage temporary passwords and require password changes efficiently: ```powershell $OnPremSync = Get-MgDirectoryOnPremiseSynchronization $OnPremSync.Features.UserForcePasswordChangeOnLogonEnabled = $true Update-MgDirectoryOnPremiseSynchronization ` -OnPremisesDirectorySynchronizationId $OnPremSync.Id ` -Features $OnPremSync.Features ``` **Note:** Ensure Self-Service Password Reset (SSPR) and Password Writeback are enabled to prevent lockouts. ### Account Expiration Since the `accountExpires` attribute isn't synced, schedule a PowerShell script to handle account expirations on-premises and update AD accordingly. --- ## Troubleshooting If you hit a snag, check out Microsoft’s [Troubleshoot Password Hash Synchronization](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-password-hash-synchronization) for help. ### FIPS Compatibility On FIPS-enabled servers, adjust the config to allow MD5: 1. Navigate to `%programfiles%\Microsoft Azure AD Sync\Bin`. 2. Edit `miiserver.exe.config` to include: ```xml <configuration> <runtime> <enforceFIPSPolicy enabled="false" /> </runtime> </configuration> ``` 3. Save changes and reboot. --- **Best Practices:** 1. Test configurations in a controlled environment before rolling them out. 2. Monitor synchronization logs and event viewers for issues. 3. Stay updated with Microsoft’s official documentation. Stay safe and secure out there!