DirSync Password Synchronization
The latest version of the Windows Azure Active Directory (WAAD) Sync Tool, also known as DirSync, has just been released.
Besides supporting Windows Server 2012, this new version provides the much anticipated Password Sync feature, which enables users to log into their Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password as they use to log into their on-premises network.
However, this should not be seen as a replacement for ADFS. Rather, it is an alternative for organizations that find it sufficient to have users using the same password in Office 365 as in the on-premises Active Directory. ADFS provides many other features that this tool does not, one of them being Single-Sign On (SSO) where users only need to authenticate once when they are logged on to a domain-joined client machine. With this new tool, and without ADFS, users will get prompted for credentials when accessing Office 365 resources even if they are on a domain-joined client machine. The advantage is that the username and passwords are the same, and when users update their credentials on Active Directory, the password will get synchronized to WAAD.
This tool does not provide SSO because there is no token sharing/exchange in the Password Sync based process.
How Password Sync Works
To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service.
Passwords are synchronized more frequently than the standard Directory Sync window for other attributes. Passwords are synchronized on a per-user basis and generally in chronological order. When a user’s password is synchronized from the on-premises AD to the cloud, the existing cloud password is overwritten. When an on-premises user changes their password, the Password Sync feature will detect and synchronize the changed password, most often in a matter of minutes. The Password Sync feature will automatically retry failed user password syncs. If an error occurs during an attempt to synchronize a password the error is logged in event viewer.
Note that you cannot explicitly define the set of users that will have their passwords synchronized to the cloud.
Enabling Password Sync
Password Sync is enabled when running the Directory Sync tool Configuration Wizard. When prompted by the Wizard, select the “Enable Password Synchronization” checkbox. This process will trigger a full synchronization which generally takes longer than other sync cycles to complete.
The new version of DirSync (v1.0.6385.0012) can be downloaded from your respective Office 365 Admin portal or from here.