Unit 3: Implement and Manage Password Hash Synchronization (PHS)

1. Understanding Password Hash Synchronization

Password Hash Synchronization (PHS) is one of the core sign-in methods available in Microsoft Entra Connect for hybrid identity.

Its main goal is to ensure users can use the same password for both on-premises Active Directory (AD DS) and Microsoft Entra ID (Azure AD) — without requiring any federation or additional authentication servers.

Key idea: Microsoft Entra Connect periodically synchronizes a hash of the hash of each user’s password from AD DS to Entra ID. This means the actual password never leaves the on-premises environment — even Microsoft cannot decrypt or view it.

When a user signs into a cloud service (like Microsoft 365, SharePoint, or Teams), Entra ID uses the stored password hash to authenticate the user.

2. How Password Hash Synchronization Works (Step-by-Step)

Let’s break down the process carefully to understand what happens behind the scenes.

• User changes or sets a password in on-premises AD.
• AD stores that password as a hash — a one-way mathematical representation of the password.
• This stored hash cannot be reversed into the plain password.
• Microsoft Entra Connect extracts the hash from AD.
• It doesn’t send this directly to the cloud.
• Instead, it applies an additional layer of hashing using SHA256 and cryptographic salting.
• The double-hashed password is sent securely to Microsoft Entra ID using an encrypted TLS channel.
• Microsoft Entra ID stores this value for authentication.
• When a user tries to sign in to a cloud resource:
• They enter their username and password into the Microsoft Entra sign-in page.
• The password is hashed locally on the client, then compared with the stored hash in Entra ID.
• If both hashes match, the user is authenticated successfully.

This process ensures that passwords are never stored or transmitted in clear text and that Microsoft only ever stores non-reversible hashes.

3. Frequency and Synchronization Behavior

• Password hash sync occurs every 2 minutes by default.
• This schedule is independent of the standard directory synchronization cycle (which typically runs every 30 minutes).
• Passwords are synchronized on a per-user basis — meaning each user’s password is processed separately.

When you first enable password hash synchronization:

• Entra Connect performs an initial full synchronization of all in-scope user passwords.
• After that, incremental updates occur only when users change their passwords.

You cannot manually select which passwords to sync in the initial run.

4. How PHS Enhances Security

Microsoft designed PHS with layered security in mind:

5. Enabling Password Hash Synchronization

Scenario 1: During Installation (Express Mode)

If you choose Express Settings when installing Microsoft Entra Connect:

• Password Hash Synchronization is enabled by default.
• This setup is ideal for single-forest environments or smaller organizations that want a straightforward hybrid setup.

Scenario 2: During Custom Installation

If you select Custom Settings, you’ll see a screen titled “User Sign-In Options” where you can choose from:

• Password Hash Synchronization
• Pass-Through Authentication
• Federation (AD FS)

To enable PHS manually:

• Run Microsoft Entra Connect setup.
• Select Customize → User Sign-In → choose Password Hash Synchronization.
• Proceed with domain verification and sync configuration.

6. PHS and FIPS Compliance

Some organizations operate under FIPS (Federal Information Processing Standard) mode, which disables MD5 cryptographic functions for compliance. However, PHS internally relies on MD5 as part of its hashing pipeline.

To support PHS on FIPS-enforced servers, you must explicitly re-enable MD5 for this purpose only.

Steps:

Open the file:

%ProgramFiles%\Azure AD Sync\Bin\miiserver.exe.config

Locate the <configuration> section and add:

<runtime>

<enforceFIPSPolicy enabled="false"/>

</runtime>

Save the file and restart the synchronization service.

This setting allows the PHS mechanism to function while the rest of your system remains FIPS-compliant.

7. Password Hash Synchronization with PingFederate

Although PHS is most often used standalone, it can also coexist with PingFederate for organizations using federated sign-in.

Use case example:

• A company uses PingFederate for complex authentication scenarios (e.g., third-party MFA).
• They still enable PHS as a backup sign-in method, ensuring users can log in if the on-prem federation infrastructure fails.

Steps:

• Ensure PingFederate 8.4 or later is installed.
• Have a valid TLS/SSL certificate (e.g., sts.contoso.com).
• During Entra Connect configuration:
• Select Set up federation with PingFederate.
• Choose the domain to federate (e.g., contoso.com).
• Export the settings to share with your PingFederate admin.
• The PingFederate admin completes the federation configuration and returns the metadata for verification.

This setup provides resiliency — even if PingFederate or the on-prem network fails, users can temporarily authenticate via PHS.

8. Business Continuity and High Availability

• PHS operates as a cloud-native service, so it benefits from Microsoft’s global redundancy.
• Even if your on-premises environment experiences a disaster (e.g., ransomware attack, DC failure), users can still sign in to Microsoft 365 using their last-synced credentials.
• You can deploy a second Entra Connect server in staging mode to ensure sync continuity if the primary server fails.

This makes PHS an excellent business continuity strategy, especially when compared to federation or PTA, which both rely on local infrastructure.

9. Troubleshooting and Monitoring PHS

Tools available:

• Microsoft Entra Connect Health:

Provides real-time insights and alerts about synchronization status, password sync failures, or delays.

• Event Viewer Logs:

On the Entra Connect server, check under: Applications and Services Logs > Directory Synchronization for entries such as:

• Password hash synchronization completed successfully.
• Password synchronization failed for user xyz@domain.com.

Common issues:

10. Advantages and Limitations Summary

11. Real-World Example:

Scenario: Fabrikam Industries runs a traditional on-prem AD with 5,000 users. They’ve migrated their email and collaboration tools to Microsoft 365.

Their IT director wants users to sign in with the same credentials but doesn’t want to maintain a complex federation environment.

Solution:

• Deploy Microsoft Entra Connect using Express Settings.
• Enable Password Hash Synchronization.
• Set up Seamless Single Sign-On for internal network users.
• Configure a staging server for redundancy.

Result: Users log in seamlessly to both their local Windows computers and cloud apps. The IT team doesn’t need to manage AD FS or authentication agents. If the on-prem AD is temporarily unavailable, cloud logins continue without interruption.

12. Exam Tips

• PHS syncs a hash of a hash (not the password).
• Sync occurs every 2 minutes.
• Express Settings automatically enables it.
• FIPS mode must have MD5 enabled for PHS to function.
• Always use PHS as a backup, even when PTA or Federation is your primary sign-in method.
• Event Viewer and Entra Connect Health are your go-to tools for troubleshooting.

13. Summary

Password Hash Synchronization is the simplest and most reliable method for enabling hybrid identity. It combines ease of deployment, high availability, and strong security — making it ideal for most organizations.

It’s the default and recommended method unless you have strict compliance or policy requirements that prevent password storage (even in hashed form) in the cloud.