Directory Sync with Password Sync Scenario
Published: October 28, 2013
Updated: February 10, 2015
Applies To: Azure, Office 365, Windows Intune
Password sync is an extension to the Directory Sync Scenario. With directory sync, you can manage the entire lifecycle of your cloud user and group accounts using your on-premise Active Directory management tools.
When password sync is enabled on your directory sync computer, your users will be able to sign into Microsoft cloud services, such as Office 365, Dynamics CRM, and Windows InTune, using the same password as they use when logging into your on-premises network. When your users change their passwords in your corporate network, those changes are synchronized to the cloud.
To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to Azure AD. The actual data flow of the password synchronization process is similar to the synchronization of user data such as First Name or Title, as shown in the following diagram. Passwords are synchronized more frequently than other directory data.
It is important to note that this feature does not provide a full single sign-on (SSO) solution because there is no token sharing / exchange in the Password Sync based process.
Implementing directory sync in your environment introduces a variety of impactful benefits to your environment:
Reduced operational costs – Resetting passwords represents an expensive helpdesk operation. You can reduce the number of password reset requests by reducing the number of different passwords a user needs to maintain in your environment. Synchronizing the passwords of your already existing on-premise users and your Azure AD users is a method to do this.
Improved productivity - Reducing the number of passwords a user needs to maintain to gain access to corporate assets increases the amount of time corporate assets are accessible.