Update: From ADFS to DirSync Password Hash Sync

Whats new and how is it made better?

Password Hash Sync can now be failover solution for Federated vanity domains. Now that Azure Active Directory have been updated, so Federated users can have a password even if they are Federated.

This means that when we follow Our guide From ADFS to Dirsync Password Sync we can enable Password Hash Sync before we make any changes to the federation.

So when we convert the vanity domain back to standard domain, we don’t have to convert all users and have downtime while we wait for Password Hash to be synchronized to Azure Active Directory.

Also, keep in mind you have to allign the password policies, because if Your Active Directory Password Policy is weaker then default Azure Active Directory, the password hash will not be synchronized.

This is easy to check before going through With the Project, instead of finding it out because some users can’t login to Office 365.

Default Azure Active Directory Password Policy:
Capital letter, small letter, number and atleast 8 characters.

If you don’t wanne elevate Your password policy, this can be changed for each user.

Get-MsolUser | Set-MsolUser -StrongPasswordRequired $false

But default will allways be With StrongPasswordRequired $true, so when you create New users you have to change the StrongPasswordRequired value aswell.

Or you can increase Your Security by demanding a strong password, which is highly recommended. Along With Multi Factor Authentication, which is that much different from what we are used to With Our personal online bank.


So the steps we need to do in short terms:

1. Install latest DirSync or Azure AD Sync and have it configured for Your tenant With Password Synchronization.

Wait until the Password Hash Sync have updated the users With passwords. Look in Your Event Viewer under Application, because the Password Hash Sync creates an event every 3 Seconds when synchronizing the password hash.

2. Convert Your vanity domain in Office 365 to a Standard domain, and have Your users login without federation, but stille the same password as in Active Diretory.

Remember to check Your password policy being stronger or matching Azure Active Directory.


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts