I am hoping someone can help me understand one important point about the Azure AD Password Sync with Writeback option. Microsoft says the actual AD on-premises password is never written to Azure AD…only a hash. Anyone know what kind of hash? How secure? Does this feature fall under the claim of PCI compliance claimed by MS for MS Azure?
Yes. The information we retrieve from Active Directory aren’t your users actual plaintext passwords – they’re hashes of those passwords. Hashes are mathematical functions that are nearly impossible to crack. The hashes that we retrieve from AD cannot be used to gain access to any of your on-premises resources (Active Directory won’t accept the password hash as a means to log a user in).
Here are some additional details to help you feel comfortable with the security of Password Sync:
we never see your plaintext password during the sync process. Ever. We only retrieve the hash of the user password from Active Directory.
we re-hash the hash of the user password using a SHA256 algorithm before transport to Azure Active Directory Authentication Service
transport of the digest (re-hash of the AD password hash) is done over an encrypted SSL session