Today the latest build of the Microsoft Active Directory synchronisation tool (DirSync for Windows Azure Active Directory / Office 365 has reached General Availability. This latest build makes available password synchronisation – a feature which has been requested for quite a long time (since BPOS days).
While password synchronisation has been available for Live@Edu customers using PCNS Office 365 customers have had to either resort to 3rd party utilities such as those created by MessageOps or SADA Systems, or deploy Active Directory Federation Services (ADFS).
Unfortunately both of these have had a cost associated with them which can sometimes be prohibitive to organisations so the ability to have password sync as part of DirSync is fantastic.
What does the availability of password sync mean for those with 3rd party or ADFS solutions in place? They can continue to use them, or if they like de-provision them to step back to use DirSync with password sync.
Some of the key points around using the updated DirSync with password sync:
– passwords are sent as a hash to Office 365 / Windows Azure Active Directory – it IS NOT possible to convert the hashed password to plain text
– the old DirSync must be uninstalled before you install the new bits
– DirSync still works on a 3 hour schedule, however passwords changed in Active Directory are replicated to the cloud within minutes
– password sync will not synchronise passwords for federated identities
– the password complexity is defined by YOUR Active Directory
– by default passwords set in Office 365 by DirSync are set to never expire (however the AD password can expire and as such will update the Office 365 password when a user changes is)
– administrators can use PowerShell to change a cloud password
How do you enable password sync? Very easily:
1. Install the latest Windows Azure Active Directory sync tool
2. Select the option to enable password sync
3. You’re done!
If you are already using ADFS / SSO and would like to convert from a Federated user to a Managed user so as to leverage password sync there is a process to be done however there are some considerations to keep in mind. More on that soon!
More information can be found in the Windows Azure Active Directory section of TechNet.
This is pretty exciting/cool.
HOWEVER, please tell me how MS (or was that purely your statement) thinks the password hash is not able to be converted to plain text?
That’s a MS statement. For higher security ADFS and even 2FA is recommended.
Few questions on Dirsync # password sync:
a) Will Dirsync # password work along with SSO toolkit for O365 Education Tenants?
b) If passwords are stored using powershell commands to Live@Edu or O365 tenants. Are they stored in # format or plain text?
c) When a user changes password running on Live@edu or O365, password stored in # format or plain text?
d) Any whitepaper that talks more in detail on # password sync?
Given your employer – shouldn’t you know this already?
I’ve taken a deeper look into the hashed password sync if anyone is interested.