Az - PHS - Password Hash Sync

👉 Overview

👀 What ?

Password Hash Sync (PHS) is a feature of Azure AD Connect that synchronizes hash values of user passwords from on-premises Active Directory to Azure AD. Instead of actual passwords, only a hash of the hash of the user's password is synchronized. This is a security measure that ensures even if the data in transit or at rest is compromised, the actual password cannot be reverse-engineered from the hash.

🧐 Why ?

PHS is important as it allows users to use the same username and password that they use on-premises, without sending actual password data to the cloud. This simplifies the user experience while maintaining security. For businesses, it means that they can leverage their existing Active Directory infrastructure while benefiting from the features of Azure AD.

⛏️ How ?

To implement PHS, first, install Azure AD Connect and select 'Password Hash Synchronization' as the sign-in method during configuration. Ensure that the account used has sufficient permissions to read password hashes from the on-premises AD. Once setup, the feature will synchronize password hashes whenever a password is changed or a new user is added.

⏳ When ?

The usage of PHS began with the introduction of Azure AD Connect. It has since become a widely used feature for businesses transitioning to or integrating with Azure cloud services.

⚙️ Technical Explanations

In PHS, the SHA256 hash of the user's Unicode password is calculated, which is then hashed again with a per-user salt. This resultant hash is what is synchronized to Azure AD. During sign-in, the entered password undergoes the same process, and if the resultant hash matches the stored hash, access is granted. This process ensures that the actual password never leaves the on-premises AD and yet enables seamless sign-in experience for the users.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.