1.1.12 Ensure that password hash sync is enabled for hybrid deployments

Information

Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

Note: Audit and remediation procedures in this recommendation only apply to Microsoft 365 tenants operating in a hybrid configuration using Azure AD Connect sync.

Rationale:

Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one and enables leaked credential detection for your hybrid accounts. Leaked credential protection is leveraged through Azure AD Identity Protection and is a subset of that feature which can help identity if an organization's user account passwords have appeared on the dark web or public spaces.

Using other options for your directory synchronization may be less resislient as Microsoft can still process sign-ins to 365 with Hash Sync even if a network connection to your on-premises environment is not available.

Impact:

Compliance or regulatory restrictions may exist, depending on the organization's business sector, that preclude hashed versions of passwords from being securely transmitted to cloud data centers.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To setup Password Hash Sync, use the following steps:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Azure Active Directory select Overview.

Scroll down on Overview page, underneath My feed section, select Azure AD Connect.

Click Manage Azure AD cloud sync.

Click Configure.

On the Additional tasks page, select Customize synchronization options and click Next.

Enter the username and password for your global administrator.

On the Connect your directories screen, click Next.

On the Domain and OU filtering screen, click Next.

On the Optional features screen, check Password hash synchronization and click Next.

On the Ready to configure screen click Configure.

Once the configuration completes, click Exit.

Default Value:

Azure AD Connect sync disabled by default

Password Hash Sync is Microsoft's recommended setting for new deployments

See Also

https://workbench.cisecurity.org/benchmarks/10751