Password Hash Synchronization (PHS) is a feature of Azure AD Connect – it is the easiest authentication option to implement and it is the default. The way PHS works is that whenever a password is changed on premises, the password hash from Active Directory is synchronized into Azure AD.
The password hash is itself repeatedly hashed, so even in the unlikely event that the resulting hash were stolen from the cloud, it would be no use for sign-in on-premises. Note, too, that this feature is often incorrectly referred to as “Password Synchronization” – this is incorrect, since the plain-text password is never available either to Azure AD Connect or Azure AD itself.
When a password is changed or reset on-premises, the new password hash is (re-hashed and) synchronized to Azure AD almost immediately, and this enables a user to use the same username and password to sign-in to on-premises or cloud resources. If SSSO is also in use, the user will often experience true single sign-on.
PHS has the smallest on-premises footprint of the available options – and the least impact on your infrastructure, requiring only minimal changes to it. Note, however, that because the authentication is being performed by Azure AD and not on-premises AD, not all AD policies will be respected, for example, if an account is expired but still active, the cloud authentication will be successful, even though an on-premises sign-on would not be successful.
Find out more about password hash synchronization on our Azure AD Connect Masterclass.
Learn exactly what you need to know about Azure AD Connect, when you need to know it, with our highly practical video training courses.
Learn how to build an HR driven provisioning solution for your Active Directory and Azure Active Directory with our practical video training.
Updated July 2022