You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concept-sspr-writeback.md
-3
Original file line number
Diff line number
Diff line change
@@ -82,9 +82,6 @@ When a federated or password hash synchronized user attempts to reset or change
82
82
83
83
When the call comes in from the cloud, the synchronization engine uses the **cloudAnchor** attribute to look up the Azure Active Directory connector space object. It then follows the link back to the MV object, and then follows the link back to the Active Directory object. Because there can be multiple Active Directory objects (multi-forest) for the same user, the sync engine relies on the `Microsoft.InfromADUserAccountEnabled.xxx` link to pick the correct one.
84
84
85
-
> [!Note]
86
-
> As a result of this logic, for password writeback to work Azure AD Connect must be able to communicate with the primary domain controller (PDC) emulator. If you need to enable this manually, you can connect Azure AD Connect to the PDC emulator. Right-click the **properties** of the Active Directory synchronization connector, then select **configure directory partitions**. From there, look for the **domain controller connection settings** section and select the box titled **only use preferred domain controllers**. Even if the preferred domain controller is not a PDC emulator, Azure AD Connect attempts to connect to the PDC for password writeback.
87
-
88
85
1. After the user account is found, an attempt to reset the password directly in the appropriate Active Directory forest is made.
89
86
1. If the password set operation is successful, the user is told their password has been changed.
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/multi-factor-authentication-faq.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -139,7 +139,7 @@ If your organization doesn't have legacy clients, you should not allow your user
139
139
> [!NOTE]
140
140
> Modern authentication for Office 2013 clients
141
141
>
142
-
> App passwords are only necessary for apps that don't support modern authentication. Office 2013 clients support modern authentication protocols, but need to be configured. Now modern authentication is available to any customer running the March 2015 or later update for Office 2013. For more information, see the [Office 2013 modern authentication public preview announced](https://www.microsoft.com/en-us/microsoft-365/blog/2015/03/23/office-2013-modern-authentication-public-preview-announced/).
142
+
> App passwords are only necessary for apps that don't support modern authentication. Office 2013 clients support modern authentication protocols, but need to be configured. Now modern authentication is available to any customer running the March 2015 or later update for Office 2013. For more information, see the blog post [Updated Office 365 modern authentication](https://www.microsoft.com/microsoft-365/blog/2015/11/19/updated-office-365-modern-authentication-public-preview/).
143
143
144
144
**Q: My users say that sometimes they don't receive the text message, or they reply to two-way text messages but the verification times out.**
Copy file name to clipboardExpand all lines: articles/active-directory/develop/single-sign-on-saml-protocol.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -86,7 +86,7 @@ If `NameIDPolicy` is provided, you can include its optional `Format` attribute.
86
86
Azure AD ignores the `AllowCreate` attribute.
87
87
88
88
### RequestAuthnContext
89
-
The `RequestedAuthnContext` element specifies the desired authentication methods. It is optional in `AuthnRequest` elements sent to Azure AD. Azure AD supports only one `AuthnContextClassRef`value:`urn:oasis:names:tc:SAML:2.0:ac:classes:Password`.
89
+
The `RequestedAuthnContext` element specifies the desired authentication methods. It is optional in `AuthnRequest` elements sent to Azure AD. Azure AD supports `AuthnContextClassRef`values such as`urn:oasis:names:tc:SAML:2.0:ac:classes:Password`.
90
90
91
91
### Scoping
92
92
The `Scoping` element, which includes a list of identity providers, is optional in `AuthnRequest` elements sent to Azure AD.
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/reference-connect-sync-attributes-synchronized.md
+1-7
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.workload: identity
12
12
ms.tgt_pltfrm: na
13
13
ms.devlang: na
14
14
ms.topic: reference
15
-
ms.date: 01/24/2019
15
+
ms.date: 04/24/2019
16
16
ms.subservice: hybrid
17
17
ms.author: billmath
18
18
@@ -153,7 +153,6 @@ In this case, start with the list of attributes in this topic and identify those
153
153
| pwdLastSet |X |||mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation. |
154
154
| reportToOriginator |||X ||
155
155
| reportToOwner |||X ||
156
-
| securityEnabled |||X |Derived from groupType |
157
156
| sn |X |X |||
158
157
| sourceAnchor |X |X |X |mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
159
158
| st |X |X |||
@@ -236,7 +235,6 @@ In this case, start with the list of attributes in this topic and identify those
236
235
| pwdLastSet |X |||mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. |
237
236
| reportToOriginator |||X ||
238
237
| reportToOwner |||X ||
239
-
| securityEnabled |||X |Derived from groupType |
240
238
| sn |X |X |||
241
239
| sourceAnchor |X |X |X |mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
242
240
| st |X |X |||
@@ -289,7 +287,6 @@ In this case, start with the list of attributes in this topic and identify those
289
287
| preferredLanguage |X ||||
290
288
| proxyAddresses |X |X |X ||
291
289
| pwdLastSet |X |||mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. |
292
-
| securityEnabled |||X |Derived from groupType |
293
290
| sn |X |X |||
294
291
| sourceAnchor |X |X |X |mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
295
292
| st |X |X |||
@@ -312,7 +309,6 @@ In this case, start with the list of attributes in this topic and identify those
312
309
| objectSID |X ||X |mechanical property. AD user identifier used to maintain sync between Azure AD and AD. |
313
310
| proxyAddresses |X |X |X |mechanical property. Used by Azure AD. Contains all secondary email addresses for the user. |
314
311
| pwdLastSet |X |||mechanical property. Used to know when to invalidate already issued tokens. |
315
-
| securityEnabled |||X |Derived from groupType. |
316
312
| sourceAnchor |X |X |X |mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
317
313
| usageLocation |X |||mechanical property. The user’s country. Used for license assignment. |
318
314
| userPrincipalName |X |||This UPN is the login ID for the user. Most often the same as [mail] value. |
@@ -331,7 +327,6 @@ In this case, start with the list of attributes in this topic and identify those
331
327
| objectSID |X ||X |mechanical property. AD user identifier used to maintain sync between Azure AD and AD. |
332
328
| proxyAddresses |X |X |X ||
333
329
| pwdLastSet |X |||mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. |
334
-
| securityEnabled |||X |Derived from groupType |
335
330
| sourceAnchor |X |X |X |mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
336
331
| usageLocation |X |||mechanical property. The user’s country. Used for license assignment. |
337
332
| userPrincipalName |X |||UPN is the login ID for the user. Most often the same as [mail] value. |
@@ -359,7 +354,6 @@ In this case, start with the list of attributes in this topic and identify those
359
354
| postalCode |X |X |||
360
355
| preferredLanguage |X ||||
361
356
| pwdLastSet |X |||mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. |
362
-
| securityEnabled |||X |Derived from groupType |
363
357
| sn |X |X |||
364
358
| sourceAnchor |X |X |X |mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
The following tutorial will walk you through setting up password hash sync as a backup and fail-over for AD FS. This document will also demonstrate how to enable password hash sync as the primary authentication method, if AD FS has failed or become unavailable.
21
21
22
+
>[!NOTE]
23
+
>Although these steps are usually performed during emergency or outage situations, it is recommended that you test these steps and verify your procedures before an outage occurs.
24
+
25
+
>[!NOTE]
26
+
>In the event that you do not have access to Azure AD Connect server or the server does not have access to the internet, you can contact [Microsoft Support](https://support.microsoft.com/en-us/contactus/) to assist with the changes to the Azure AD side.
27
+
22
28
## Prerequisites
23
29
This tutorial builds upon the [Tutorial: Federate a single AD forest environment to the cloud](tutorial-federation.md) and is a per-requisite before attempting this tutorial. If you have not completed this tutorial, do so before attempting the steps in this document.
24
30
31
+
>[!IMPORTANT]
32
+
>Prior to switching to PHS you should create a backup of your AD FS environment. This can be done using the [AD FS Rapid Restore Tool](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool#how-to-use-the-tool).
33
+
25
34
## Enable PHS in Azure AD Connect
26
35
The first step, now that we have an Azure AD Connect environment that is using federation, is to turn on password hash sync and allow Azure AD Connect to synchronize the hashes.
27
36
@@ -42,6 +51,9 @@ Do the following:
42
51
## Switch to password hash synchronization
43
52
Now, we will show you how to switch over to password hash synchronization. Before you start, consider under which conditions should you make the switch. Don't make the switch for temporary reasons, like a network outage, a minor AD FS problem, or a problem that affects a subset of your users. If you decide to make the switch because fixing the problem will take too long, do the following:
44
53
54
+
> [!IMPORTANT]
55
+
> Be aware that it will take some time for the password hashes to synchronize to Azure AD. This means that it may take up 3 hours for the synchronizations to complete and before you can start authenticating using the password hashes.
56
+
45
57
1. Double-click the Azure AD Connect icon that was created on the desktop
46
58
2. Click **Configure**.
47
59
3. Select **Change user sign-in** and click **Next**.
@@ -60,9 +72,47 @@ Now, we will show you how to switch over to password hash synchronization. Befor
60
72
2. Sign in with a user account that was created in our new tenant. You will need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.</br>
Now, we will show you how to switch back to federation. To do this, do the following:
77
+
78
+
1. Double-click the Azure AD Connect icon that was created on the desktop
79
+
2. Click **Configure**.
80
+
3. Select **Change user sign-in** and click **Next**.
81
+
4. Enter the username and password for your global administrator. This is the account that was created [here](tutorial-federation.md#create-a-global-administrator-in-azure-ad) in the previous tutorial.
82
+
5. On the **User sign-in** screen, select **Federation with AD FS** and click **Next**.
83
+
6. On the Domain Administrator credentials page, enter the contoso\Administrator username and password and click **Next.**
84
+
7. On the AD FS farm screen, click **Next**.
85
+
8. On the **Azure AD domain** screen, select the domain from the drop-down and click **Next**.
86
+
9. On the **Ready to configure** screen, click **Configure**.
87
+
10. Once configuration is complete, click **Next**.
11. On the **Verify federation connectivity** screen, click **Verify**. You may need to configure DNS records (add A and AAAA records) for this to complete successfully.
5. On the **Connect to Azure AD** screen enter the username and password for your global administrator.
102
+
6. On the **Connect to AD FS** screen, enter the contoso\Administrator username and password and click **Next.**
103
+
7. On the **Certificates** screen, click **Next**.
104
+
105
+
## Test signing in with one of our users
106
+
107
+
1. Browse to [http://myapps.microsoft.com](http://myapps.microsoft.com)
108
+
2. Sign-in with a user account that was created in our new tenant. You will need to sign-in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign-in on-premises.
0 commit comments