5.1.8.1 Ensure that password hash sync is enabled for hybrid deployments

Information

Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Microsoft Entra Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Entra ID instance.

Note: Audit and remediation procedures in this recommendation only apply to Microsoft 365 tenants operating in a hybrid configuration using Entra Connect sync.

Rationale:

Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one and enables leaked credential detection for your hybrid accounts. Leaked credential protection is leveraged through Entra ID Protection and is a subset of that feature which can help identify if an organization's user account passwords have appeared on the dark web or public spaces.

Using other options for your directory synchronization may be less resilient as Microsoft can still process sign-ins to 365 with Hash Sync even if a network connection to your on-premises environment is not available.

Impact:

Compliance or regulatory restrictions may exist, depending on the organization's business sector, that preclude hashed versions of passwords from being securely transmitted to cloud data centers.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To setup Password Hash Sync, use the following steps:

Log in to the on premises server that hosts the Microsoft Entra Connect tool

Double-click the Azure AD Connect icon that was created on the desktop

Click Configure.

On the Additional tasks page, select Customize synchronization options and click Next.

Enter the username and password for your global administrator.

On the Connect your directories screen, click Next.

On the Domain and OU filtering screen, click Next.

On the Optional features screen, check Password hash synchronization and click Next.

On the Ready to configure screen click Configure.

Once the configuration completes, click Exit.

Default Value:

Microsoft Entra Connect sync disabled by default

Password Hash Sync is Microsoft's recommended setting for new deployments

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), 800-53|AC-3, CSCv7|16.4

Plugin: microsoft_azure

Control ID: de947d3b627c83429912c1f5137fa0648eeef353c33a17a1a374ed3caa19661a