It all started with designing Hybrid project for one of my client where I was supposed to plan for single sign on and longtime back there was this feature extended to DirSync tool called as “Enable Password Synchronization” which came to my mind.
I was planning to use ADFS for single sign on but soon realized to use the feature of DirSync and minimize the complexity and cost of implementing ADFS on-premise.
Below are some important points need to look at and consider while you design for SSO as it helped me to focus.
- Make sure at least you have Office 365 Midsize Business subscription plan to integrate on-premise AD with azure AD on cloud.
- DirSync tool version must be at least minimum 6382.0000 and above to sync password from on-premise to azure AD on cloud.
- Make sure you have enabled DirSync feature first via portal before enabling password sync feature on-premise @DirSync tool.
- Network connectivity and credentials with appropriate permission is required to sync password using DirSync tool from on-premise to azure AD on cloud.
Important points to note:
- Additional security is applied to the hash value of the password before it leaves on-premise and synchronizes to azure AD on cloud
- Password sync is one way from on-premise to azure AD cloud and cannot be reversed vice versa except the write-back attribute with the help of two way synchronization feature.
- Password synchronization frequency differs from actually AD object replication (which can be scheduled) from on-premise to azure AD on cloud further to which it gets overwritten.
- All users’ passwords are synchronized to azure AD on cloud using DirSync tool and you cannot explicitly define which user’s passwords to synchronize.
How it works:
So what happens when you actually change the password of a user in on-premise having DirSync tool with password sync enabled.
- You change the password of the user
- The password sync feature detects any changes and synchronizes the changed password, within a minute.
- If the password sync was not successfully due to connectivity (or any other) issues the sync feature will again try automatically for the same user.
- If there is any error during synchronization for sure it will log an event ID and so that we can troubleshoot further to why it has failed
- Once the password is successfully synched to azure AD on cloud the online users will be able to login on to their mailboxes without any issues and the experience is seamless as both the on-premise and cloud azure AD has unique credentials.
Hope it was informative.