By deploying password sync in your environment, you enable your users to use the same password they are using to logon to your on-premises Active Directory to logon to Windows Azure Active Directory.
The latest version of the Directory Sync tool (version 1.0.6385.0012) can be downloaded from the Office 365, InTune and Azure UX Portals.
What is Password Sync
Password Sync is a feature of the Windows Azure Active Directory Sync tool that synchronizes user passwords from your on-premises Active Directory to Windows Azure Active Directory (“Azure AD”). This feature enables your users to log into their Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password as they use to log into your on-premises network. It is important to note that this feature does not provide a Single Sign-On (SSO) solution because there is no token sharing / exchange in the Password Sync based process.
How Password Sync Works
Password Sync is an extension to the directory synchronization feature implemented by the Directory Sync tool. As a consequence of this, this feature requires directory synchronization between your on-premise and your Windows Azure Active Directory to be configured.
The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reversed in order to gain access to the user’s plaintext password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service. The actual data flow of the password synchronization process is similar to the synchronization of user data such as DisplayName or Email Addresses.
Passwords are synchronized more frequently than the standard Directory Sync window for other attributes. Passwords are synchronized on a per-user basis and are generally synchronized in chronological order. When a user’s password is synchronized from the on-premises AD to the cloud, the existing cloud password will be overwritten.
When you first enable the Password Sync feature in your DirSync tool, it will perform an initial synchronization of the passwords of all in-scope users from your on-premises Active Directory to Azure Active Directory. You cannot explicitly define the set of users that will have their passwords synchronized to the cloud. Subsequently, when an on-premises user changes their password, the Password Sync feature will detect and synchronize the changed password, most often in a matter of minutes. The Password Sync feature will automatically retry failed user password syncs. If an error occurs during an attempt to synchronize a password the error is logged in your event viewer.
The synchronization of a password has no impact on currently logged on users. If a user that is logged into a cloud service also changes their on-premise password, the cloud service session will continue uninterrupted. However, as soon as the cloud service attempts requires the user to re-authenticate, the new password needs to be provided. At this point, the user is required to provide the new password – the password that has been recently synchronized from the on-premise Active Directory to the cloud.