In this series, I’ll be covering the Microsoft Secure Score improvement actions. Although Microsoft does a great job on telling you what to do, some actions have a much bigger impact and need to be balanced against business needs. Some actions might not even have value for your organization. In the end, Microsoft Secure Score is meant to strengthen your security, not a contest to reach the highest score possible. In this series, I’ll pick out random actions and try to make it as simple as possible, backed with notes from the field.
Articles in this series can be read separately since they are written at random order. The articles vary in case of impact and complexity and cover multiple categories. Here is a list of all the articles in this series:
01 – What is Microsoft Secure Score?
02 – Require MFA for administrative roles
03 – Enable Password Hash Sync if hybrid
04 – Ensure all users can complete multi-factor authentication for secure access
05 – Enable self-service password reset
06 – Enable policy to block legacy authentication
07 – Turn on sign-in risk policy
08 – Use Cloud App Security to detect anomalous behavior
09 – Do not allow users to grant consent to unmanaged applications
10 – Discover trends in shadow IT application usage
12 – Turn on customer lockbox feature
13 – Set automated notifications for new and trending cloud applications in your organization
14 – Designate more than one global admin
Enable Password Hash Sync if hybrid
Password hash synchronization is one of the sign-in methods used to accomplish a hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of the user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one. Enabling password hash synchronization also allows for leaked credential reporting.
In this blog post, we are going to take a look at Password Hash Sync. For readability, I will use “PHS” for the rest of the article.
So what’s the case here? This improvement action wants you to enable PHS if you are in a hybrid environment. Hybrid means that you have Azure AD Connect in place, so your on-premises Active Directory is synced to Azure Active Directory. Most companies with hybrid setups use federation or passthrough authentication, so the authentication part is handled on-premises. This has often to do with compliance and security requirements. Another sign-in method is PHS. In this case, the hash (of the hash) of the user’s password is synchronized with Aure Active Directory, and users authenticate directly to Azure Active Directory.
For the record, this does not mean that the password itself is being synchronized. The password hash is being encrypted in a very secure way and synced to the cloud afterward. I don’t want to go to much into detail here, but if you want to understand how this works exactly, take a look at this page, or watch this video.
If we talk about enabling PHS, there are roughly two options:
- Enable PHS on top of your current authentication method. (ADFS or Pass-Trough Authentication for example)
- Move away from your current authentication method to PSH.
Enabling PHS will give you two advantages right away:
- Azure Active Directory can detect if your user’s credentials are leaked. You can set-up remediation policies so your compromised accounts have to reset their passwords. Because you can fully automate this, no service-desk call or whatsoever is involved.
- You can use PHS as your backup authentication method. Enable PSH, so that you can flip the switch in case you need it in the future.
Now, I could ramble on for hours to convince you why you should get rid of ADFS, but that’s not what this article is about. This article is based on the recommended actions from Microsoft Secure Score and encourages you to enable PHS, not using it as your default authentication method. But before we continue to that, I’ll give you something to chew on:
- Ask yourself why you are still using ADFS. Kenneth van Surksum wrote a nice article on that, so feel free to dig into that one.
- How many ADFS related issues did happen over the last 1 or 2 years? Think about expired SSL certificates, load balancer issues, updates that messed up your servers, database outage and DNS failures.
- How quickly can you restore your ADFS environment in case of an emergency?
- Keep in mind that PHS does not require any on-premises infrastructure to authenticate your users.
Okay, enough about that. Let’s move on to our main goal today, enabling PHS.
Enable Password Hash Sync
If you used Express settings at the installation of Azure AD Connect, PHS is already enabled. If you used custom settings, you can enable this manually. To enable PHS, go to your Azure AD Connect server and start the wizard.
Select the Customize synchronization options and click next.
Next, log-in using your admin credentials and go to the Optional Features section. Make sure that Password hash synchronization is enabled and finish the wizard.
Going to your Azure portal, you should now see that PHS is enabled.
Now you have enabled PHS, you can leave it like this. You continue to use your preferred authentication method. PSH is enabled in case of an emergency and your leaked credentials can be detected from now on.
Flip the switch
If you are ready to set PHS as your preferred authentication method, just fire up the Azure AD Connect wizard again and select Change user sign-in. Next, make sure you select Password Hash Sync as your preferred method.
But wait, there is more!
I can imagine that changing your authentication method for your whole domain at once can be a big step. If that’s the case, you should check out this preview feature where you can do a staged roll-out of PHS. Just select a pilot group and work from there. Read more.
A few things to take note of
Enabling PHS is relatively easy to configure. You should always consider the consequences before taking this step.
- Both your password complexity policy and password expiration policy are affected. Read more.
- Password hashes are synced every 2 minutes.
- The synchronization of a new password has no impact on the Azure user who is signed in. This session keeps working, depending on your time-out settings.
- If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. The account will stay active in Azure AD.
Stay safe!
Hello,
Good article series!
I have a question/remark concerning ‘Passwords are synced every 2 minutes.’
Are passwords synced? or are the hashes of the password hashes synced?
Important difference….
Best regards,
Sandro
Thanks Sandro. That would be of course the password hashes. I will update the article!
Pingback: Close the gap. Azure AD Identity Protection & Conditional Access. - JanBakker.tech
Pingback: Microsoft Secure Score Series – 15 – Do not expire passwords - JanBakker.tech
Great article.
Once switched to PHS, if we need to revert back to ADFS once the issue is fixed, is it then just a case of changing the User Sign In option back to ADFS?
Yes, but you need to do some additional steps. Take a look here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup#switch-back-to-federation
I would strongly suggest not to switch back if you don’t have any security or compliance requirements 😉 Just leave it at PHS, your users will love it.