Synchronized Identity with Cloud Authentication
With a synchronized identity model, you are essentially configuring your organization’s directory objects to be replicated in Azure AD. This includes several properties such as first and last names, email addresses, office information, manager reporting configurations, physical addresses, and phone
numbers, among others. You have the option to configure this with or without password hashes (a mathematical computation representing the password).
Azure AD Attributes Deep Dive
For an exhaustive list of the attributes synchronized to Azure AD, see https://docs. microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized.
Password hash synchronization enables an Azure AD user to use the same password as the corresponding on-premises account. If you choose to synchronize identity with password hashes (the default configuration and Microsoft’s preferred recommendation), then a hash of the user’s on-premises password is computed and synchronized to Azure AD. Authentication will be performed by Azure AD using the synchronized credential when a user attempts to access resources.
In order to synchronize password hashes, the account specified in the AAD Connect setup must have two specific Azure AD rights granted (Replicating Directory Changes and Replicating Directory Changes All). These rights can be delegated manually (using a tool such as the AAD Connect Advanced Permissions tool at http://aka.ms/aadpermissions) or by making the synchronizationservice account a member of either Domain Admins or Enterprise Admins groups. While the default synchronization time for AAD Connect is every 30 minutes, password changes on-premises are processed and synchronized with Azure AD immediately as a separate process.
Password Hash Synchronization Deep Dive
For a deeper understanding of how the AAD Connect password hash synchronization works, see https://docs.microsoft.com/en-us/azure/active-directory/ hybrid/whatis-phs.
If you choose to synchronize identity without password hashes, then all of the same account details are synchronized except the password. Users must maintain the password separately for both Azure AD and their on-premises identity solution. This option is commonly configured if you are going to configure a federation service outside of AAD Connect, though you are not required to do so. Authentication will be performed by Azure AD using the synchronized user identity with a cloud password (if no federated authentication has been configured), or the request will be redirected to the federated IdP if a third-party federation has been configured.
Synchronized identity with cloud authentication doesn’t rely on any on-premises infrastructure to validate passwords or authentication attempts. If the on-premises environment is unavailable, then users will still be able to log in to Azure AD-protected resources since the authentication attempt is processed against the service.
With or without password hash synchronization, users can change their passwords independently in Office 365. If you deploy password hash synchronization, Microsoft recommends you deploypassword writeback or self-service password reset (SSPR), so that when a user changes their password in Office365, it’s synchronized back to the on-premises Active Directory environment.
