Password Hash for Azure AD Directory Sync

Forum: Microsoft Azure
Viewing 3 posts - 1 through 3 (of 3 total)
  • #223701
    Profile photo of Shaun Collins
    Shaun Collins
    Participant

    I am hoping someone can help me understand one important point about the Azure AD Password Sync with Writeback option. Microsoft says the actual AD on-premises password is never written to Azure AD…only a hash. Anyone know what kind of hash? How secure? Does this feature fall under the claim of PCI compliance claimed by MS for MS Azure?

    #224246
    Profile photo of
    Anonymous

    Shaun, I did some looking for this just now, but cannot find a definitive answer. Did you ever find out?

    #224247
    Profile photo of Wes Kroesbergen
    Wes Kroesbergen
    Participant

    This wiki link might help you.

    Yes. The information we retrieve from Active Directory aren’t your users actual plaintext passwords – they’re hashes of those passwords.  Hashes are mathematical functions that are nearly impossible to crack.  The hashes that we retrieve from AD cannot be used to gain access to any of your on-premises resources (Active Directory won’t accept the password hash as a means to log a user in).

    Here are some additional details to help you feel comfortable with the security of Password Sync:

    • we never see your plaintext password during the sync process.  Ever.  We only retrieve the hash of the user password from Active Directory.
    • we re-hash the hash of the user password using a SHA256 algorithm before transport to Azure Active Directory Authentication Service
    • transport of the digest (re-hash of the AD password hash) is done over an encrypted SSL session
    • we store the digest in our system
Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.