Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Azure AD DirSync password sync

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Azure AD DirSync password sync

Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: [AD-Assurance] Azure AD DirSync password sync
  • Date: Tue, 4 Jun 2013 14:10:19 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Yesterday, Microsoft released a new version of their DirSync tool. This new version supports password synchronization from your on-premise AD. This allows enterprises that don't want to use federated authentication nor manage two sets of passwords to have a single password for their users.


I think we've talked briefly about this possibility in the past, but my recollection is foggy. In any event, there's some detail at, where a key phrase is:


"When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment."


I don't think we should include this scenario in the core portion of the revised cookbook document, but I do think we should mention it and note that those who choose to use this option should consider the implications.



Archive powered by MHonArc 2.6.16.

Top of Page