Azure-docs: Password Hash Sync for Pass-through Authentication
Several times on this page, it is indicated that Password Hash Sync can be setup to allow for fail-over for Pass-through Authentication. On the Pass-through Authentication FAQ, it says that it is not the case.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication
Additionally, I can find no where in AADC where adding Password Hash Sync to the Pass-through Auth option, it is just one or the other. There is no option that I can find that relates to this statement - "So it's critical to enable password hash synchronization no matter what authentication method you use, whether that's federated or pass-through authentication."
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 74a7839e-3be4-a6b8-10ac-addc1285d0a6
- Version Independent ID: 11a6d260-6e5e-0434-5503-198285446c2a
- Content: Choose the right authentication method for your Azure AD hybrid identity solution
- Content Source: articles/security/azure-ad-choose-authn.md
- Service: active-directory
- GitHub Login: @martincoetzer
- Microsoft Alias: martinco
redamaleki
All 6 comments
We have a document that explains how to do this with federation. It is essentially the same if you use PTA. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup
martincoetzer
on 11 Jul 2019
please-close
martincoetzer
on 11 Jul 2019
We have a document that explains how to do this with federation. It is essentially the same if you use PTA. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup
So is the FAQ for PTA incorrect?
redamaleki
on 11 Jul 2019
The FAQ is correct. The key point is "automatic". If you enable PTA and PHS it will not automatically fail-over to use PHS if PTA fails, but an admin can manually switch to PHS if PTA fails. If you previously enabled in PHS, the change will be near instant.
martincoetzer
on 11 Jul 2019
Thanks for the clarification. The documentation I have found thus far is that I would have to switch to PHS from PTA using AADC. Do you have a link to enabling that without AADC, since that would most likely be offline if Azure couldn't communicate with the PTA connectors? Or is that a service ticket to Azure support?
redamaleki
on 11 Jul 2019
That will be a service ticket request.
martincoetzer
on 11 Jul 2019
Related issues
paulmarshall
·
3Comments
spottedmahn
·
3Comments
behnam89
·
3Comments
jharbieh
·
3Comments
ianpowell2017
·
3Comments
Most helpful comment
The FAQ is correct. The key point is "automatic". If you enable PTA and PHS it will not automatically fail-over to use PHS if PTA fails, but an admin can manually switch to PHS if PTA fails. If you previously enabled in PHS, the change will be near instant.