Featured image

Active Directory and Office 365 / Azure AD Password Sync – FAQ

  • MSP Resources
  • QDesk

What is it?

Password sync from CyberQP synchronizes end-user account passwords and password policies between Active Directory and Office 365 / Azure AD as an alternative to Azure AD Connect.

What’s wrong with Azure AD Connect?

Many MSP’s and IT Departments find Azure AD Connect complicated and difficult to manage.

1. Password synchronization to Office 365 / Azure AD can take up to 15 minutes after a password is reset in Active Directory leading to end-user confusion and increased support tickets.

2. Accounts created in Office 365 first and in Active Directory after breaks the AD Connect password synchronization leading to increased end-user setup, troubleshooting and support tickets.

3. AD Connect requires an Active Directory account with a password that must never expire for its Windows Service and thus poses a potential security risk for a privileged account with a static password.

4. Decommissioning of AD Connect on an Office 365 / Azure AD tenant requires running PowerShell scripts and sometimes days before it shows as unregistered requiring increased technical skills and often leading towards environments being left in an inconsistent state.

5. You can’t match any Active Directory account with any Office 365 / Azure AD account to sync their passwords.

What accounts are Supported?

Only End-user accounts are supported

How do I setup accounts with Password Sync?

1. Install the CyberQP server agent on your customers Active Directory domain controller(s)

https://support.getquickpass.com/hc/en-us/articles/360035206994-How-to-install-the-Server-Agent-Manual-and-Silent

2. Connect your customers Office 365 / Azure AD tenant to the same CyberQP customer.

https://support.getquickpass.com/hc/en-us/articles/360039678373-How-to-Connect-a-Azure-Office-365-tenant-to-a-Quickpass-Customer

3. Import your End-User Accounts and select the option for Matched Accounts (Password Sync: On).

4. Select the Organizational Unit from Active Directory that you wish to import end-user accounts from.

5. Select the end-user accounts you wish to import from Active Directory

6. Manually (Drag and Drop) or Automatically (Auto Match button) match your selected Active Directory end-user accounts with their associated Office 365 mailboxes.

7. Click Add to complete the process

https://support.getquickpass.com/hc/en-us/articles/360035207914-How-to-Import-End-User-Accounts-into-Web-Dashboard

How does Password Sync work?

When an end-user account password is reset in one of the following ways their password is immediately synchronized to Office 365 / Azure AD. One of these events need to occur before the first time the password is synchronized.

1. CyberQP self-serve mobile or web app by the end-user

2. CyberQP web dashboard by a technician

3. On the Active Directory domain controller by a technician

4. On the end-users PC from the change password option in the Ctrl + Alt + Del menu

5. In the password entry screen in IT Glue / My Glue

How are the password policies integrated?

Active Directory Password policy takes precedence over the Office 365 cloud-only account password policy with some exceptions

  • Maximum Password Age: Active Directory password policy
  • Minimum Password Age: Active Directory password policy
  • Minimum Password Length: Active Directory password policy (Exception: If the Active Directory policy is set to < 8 characters CyberQP will change it to 8 characters so it matches the Office 365 cloud-only account minimum password length)
  • Password Complexity: On. If password complexity is disabled in the Active Directory password policy CyberQP will enable it.
  • Enforce password history: Active Directory password policy (Exception: If password history is set to 0 then CyberQP will change it to 1 so that it matches the Office 365 cloud only account password policy)
  • Account lockout threshold: Active Directory password policy (Exception: If account lockout threshold is 11 or greater CyberQP will lower it to 10 so that it matches the Office 365 cloud only account password policy)
  • Account lockout duration: Active Directory password policy
  • CyberQP sets the Office 365 password policy to never expire so that it does not conflict with the Active Directory password expiration policy.

How does the Self-Serve App work with Password Sync Enabled?

  • Password Resets: When a password is reset in the self-serve app CyberQP will reset the password in Active Directory and immediately follow by resetting the password in Office 365.
  • Password Expiry Notifications: CyberQP will base password expiry notifications on the Active Directory password policy and send notifications when passwords will expire in less than 10 days each day and also when the password expires unless the password is reset.
  • Account Lock Events – Active Directory: If an end-user locks themselves out of their Active Directory joined computer they will receive an account locked notification either from the CyberQP mobile app or via SMS when using the web app. End-users can open the mobile or web self-serve apps to unlock their accounts which will unlock their account in Active Directory.
  • Account Lock Events – Office 365 / Azure AD: If an end-user account is locked by logging into the Office 365 web dashboard the process to unlock the account is fully automated with Office 365 and cannot be changed. In this case no notifications are sent to the CyberQP self-serve app as there is no option for this in the Microsoft Graph API.
    After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for on.  minute. Further incorrect sign-in attempts lock out the user for increasing durations of time. Smart  lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.
    https://support.getquickpass.com/hc/en-us/articles/360039184734-What-is-the-Azure-Office-365-Password-Policy-for-Cloud-Only-Accounts
  • Account Disabled (Blocked / Un-block Sign In): When an end-user account is disabled in CyberQP it will be disabled in Active Directory and the Sign in for Office 365 / Azure AD will be blocked. The functions in the CyberQP self-serve apps will also be disabled immediately preventing the end-user from resetting their password. Similarly, if an end-user account is enabled in CyberQP it will be enabled in Active Directory and the sign in will be un-blocked in Office 365 / Azure AD.