Password sync in the age of COVID-19Alex Fields
This is something I have been seeing and hearing a lot from customers. So I thought it would be a good time to address the age-old topic of Directory Synchronization.
Azure AD Connect is usually the best way to get up and running quickly in the Microsoft 365 cloud, especially when you are migrating from traditional on-premises infrastructure. This is the basis of having a hybrid environment that spans your data center and the cloud–from here we get some nice benefits:
- Ease of migration from traditional Exchange servers — the hybrid connection with Exchange Online will give you the smoothest possible migration experience, where end-users receive a prompt to close and reopen Outlook (and they should remove/re-add their email profile to their mobile device as well).
- Synchronization of identities and passwords, so if you make a change on-premises, it syncs back up to the cloud
- If you have Azure AD Premium plans, you can also enable password write-back so that users can self-service reset their own passwords from the cloud
But there are drawbacks to this as well. To begin, most small business orgs never set up the password write-back feature, especially if they had a traditional Office 365 license (before the more comprehensive Microsoft 365 bundles were a thing). As well, you are required to keep your old Exchange server around for the lifetime of your Azure AD Connect installation–it is not officially supported to retire it, until you have also removed the Directory Synchronization from the picture. And of course, there is the other issue of remembering what to update when and where–many changes need to be made on-premises and cannot be done via the cloud, as long as you have that connection in place.
So the hybrid setup is not without complexity.
Password resets keep IT in business!
Now that we live in a semi-post-apocalyptic existence, and so many folks are still working from home after a few months of lockdown, we are seeing a new request hit our helpdesks–at a much higher rate than what is typical: Good ol’ fashioned password resets.
Usually this problem will present itself as the user losing access to their cloud resources. Why? Because the password has expired on-prem and the account is locked. Nobody has been in the office, and so they have not been seeing the prompts about changing that expiring password.
I have heard that several affected companies have elected to just remove the password rotation requirement in response to this issue–and that may be okay according to the latest password guidance to come out of security think-tanks, but you have to realize that the advice about moving away from traditional password policies that required complexity and rotation are always suggesting that you REPLACE this strategy with something better: Multi-factor authentication.
But I want to propose something beyond just turning off your password expiry (which you should not necessarily do on-premises if you haven’t yet moved to stronger authentication controls such as MFA).
Removing your Directory Synchronization
This option may not be for everyone. But in the SMB space–honestly, why not just shut down the hybrid and remove Azure AD Connect? Most of the customers who still have on-premises infrastructure are working to pare what remains down to zero anyway, and this is one step closer to that goal. To be clear, I recommend that you do all of the following to make this transition:
- Uninstall Azure AD Connect and also disable synchronization
- Enable Combined Security Information Registration so that users will be able to register for Multi-factor authentication as well as Self-Service Password Reset at the same time
- Enable Self-Service Password Reset (SSPR) features
- Enable Multi-Factor Authentication (MFA), if it is not yet enabled
- Remove password expiry option, if it is enabled in the cloud
- Provide end-users with instruction for registering their security information
Now, at the end of this process, you will have non-expiring passwords in the cloud that have MFA enabled, and users can self-service reset the password if they need to, using their second factor of auth. Plus you eliminated the dependencies and tie-backs to on-prem at the same time–no more updating in AD and waiting for a delta sync to the cloud, etc.! This is a win-win for many SMB’s, AND it brings them one step closer to “cloud-only”–which is their ultimate destination anyway.