1.1.7 Ensure that password hash sync is enabled for resiliency and leaked credential detection

Information

Ensure that password hash sync is enabled for resiliency and leaked credential detection.

Rationale:

Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one. Enabling password hash synchronization also allows for leaked credential reporting. It can also be used as a backup authentication method when federation is used, if the federation provider fails.

Impact:

Enabling password hash sync should not impact end users.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To setup Password Hash Sync, use the following steps:

Log in to the server that hosts the Azure AD Connect tool

Double-click the Azure AD Connect icon that was created on the desktop

Click Configure.

On the Additional tasks page, select Customize synchronization options and click Next.

Enter the username and password for your global administrator.

On the Connect your directories screen, click Next.

On the Domain and OU filtering screen, click Next.

On the Optional features screen, check Password hash synchronization and click Next.

On the Ready to configure screen click Configure.

Once the configuration completes, click Exit.

See Also

https://workbench.cisecurity.org/files/3729