What is password hash synchronization (PHS)?

Password Hash Synchronization (PHS) is a feature of Microsoft Entra Connect – it is the easiest authentication option to implement and it is the default. The way PHS works is that whenever a password is changed on-premises, the password hash from Active Directory is synchronized into Microsoft Entra ID.

The password hash is repeatedly hashed, so even in the unlikely event that the resulting hash was stolen from the cloud, it would be of no use for sign-in on-premises. Note, too, that this feature is often incorrectly referred to as “Password Synchronization” – this is incorrect since the plain-text password is never available either to Microsoft Entra Connect or Microsoft Entra ID itself. 

Like any attribute, the path that a password takes is defined using Microsoft Entra Connect rules, but while regular attributes (like upn or enabled) flow on a regular cycle, passwords are handled differently.

When a password is changed or reset in Active Directory, the new password hash is re-hashed and synchronized to Microsoft Entra ID almost immediately, and this enables a user to use the same username and password (right away) to sign in to on-premises or cloud resources. If SSSO is also in use, the user will often experience true single sign-on.

What is password has synchronization

PHS has the smallest on-premises footprint of the available options – and the least impact on your infrastructure, requiring only minimal changes to it. Note, however, that because the authentication is being performed by Microsoft Entra ID and not on-premises AD, not all AD policies will be respected, for example, if an account is expired but still active, the cloud authentication will be successful, even though an on-premises sign-on would not be successful. 

 

Find out more about pass-through authentication on our Microsoft Entra Connect Masterclass.

You will learn what It can do beyond its ‘out-of-the-box’ form as well as learn how to configure and maintain it.  The 3-day course includes lectures, demos, discussions, and hands-on labs.

LEARN MORE

Don’t have the time to attend a course?
Entra Connect Video TrainingLearn exactly what you need to know, when you need to know it, with our series of highly practical video training courses.

Pass-through authentication is examined in Course #6: Authentication which is available right now for £166 / $199 / €190

SIGN UP NOW

 

R driven provisioning solution for AD trainingLearn how to build an HR-driven provisioning solution for your Active Directory and Microsoft Entra ID with our practical video training.