![\"How](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/08\/sync-topology-1.png\")
Synchronization from Azure AD to Azure AD DS<\/strong><\/h3>\n\n\n\nUser accounts, group memberships, and credential hashes are synchronized one way from Azure AD to Azure AD DS. Also, This synchronization process is automatic. You don’t need to configure, monitor, or manage this synchronization process. Furthermore, The initial synchronization may take a few hours to a couple of days, depending on the number of objects in the Azure AD directory. After the initial synchronization is complete, changes that are made in Azure AD, such as password or attribute changes, are then automatically synchronized to Azure AD DS.<\/p>\n\n\n\n
Attribute synchronization and mapping to Azure AD DS<\/strong><\/h3>\n\n\n\nThe following table lists some common attributes and how they’re synchronized to Azure AD DS.<\/p>\n\n\n\nAttribute in Azure AD DS<\/th> Source<\/th> Notes<\/th><\/tr><\/thead> UPN<\/td> User’s UPN<\/em> attribute in Azure AD tenant<\/td>The UPN attribute from the Azure AD tenant is synchronized as-is to Azure AD DS. Also, The most reliable way to sign in to a managed domain is using the UPN.<\/td><\/tr> SAMAccountName<\/td> User’s mailNickname<\/em> attribute in Azure AD tenant or autogenerated<\/td>The\u00a0SAMAccountName<\/em>\u00a0attribute is sourced from the\u00a0mailNickname<\/em>\u00a0attribute in the Azure AD tenant. Furthermore, If multiple user accounts have the same\u00a0mailNickname<\/em>\u00a0attribute, the\u00a0SAMAccountName<\/em>\u00a0is autogenerated. If the user’s\u00a0mailNickname<\/em>\u00a0or\u00a0UPN<\/em>\u00a0prefix is longer than 20 characters, the\u00a0SAMAccountName<\/em>\u00a0is autogenerated to meet the 20 character limit on\u00a0SAMAccountName<\/em>\u00a0attributes.<\/td><\/tr>Passwords<\/td> User’s password from the Azure AD tenant<\/td> Legacy password hashes required for NTLM or Kerberos authentication are synchronized from the Azure AD tenant. Subsequently, If the Azure AD tenant is configured for hybrid synchronization using Azure AD Connect, these password hashes are sourced from the on-premises AD DS environment.<\/td><\/tr> Primary user\/group SID<\/td> Autogenerated<\/td> The primary SID for user\/group accounts is autogenerated in Azure AD DS. Also, This attribute doesn’t match the primary user\/group SID of the object in an on-premises AD DS environment. Subsequently, This mismatch is because the managed domain has a different SID namespace than the on-premises AD DS domain.<\/td><\/tr> SID history for users and groups<\/td> On-premises primary user and group SID<\/td> The\u00a0SidHistory<\/em>\u00a0attribute for users and groups in Azure AD DS is set to match the corresponding primary user or group SID in an on-premises AD DS environment. Also, This feature helps make lift-and-shift of on-premises applications to Azure AD DS also easier as you don’t need to re-ACL resources.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nSynchronization from on-premises AD DS to Azure AD and Azure AD DS<\/strong><\/h3>\n\n\n\nSbsequently, Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized. To sign in using Azure AD DS, legacy password hashes required for NTLM and Kerberos authentication are indeed synchronized to Azure AD.<\/p>\n\n\n\n
Furthermore, also having knowledge about Synchronization from a multi-forest on-premises environment and What isn’t synchronized to Azure AD DS. <\/p>\n\n\n\n
Password hash synchronization and security considerations<\/strong><\/h3>\n\n\n\nWhen you enable Azure AD DS, legacy password hashes for NTLM + Kerberos authentication are required. Also, Azure AD doesn’t store clear-text passwords, so these hashes can’t be automatically generated for existing user accounts. Subsequently, Once generated and stored, NTLM and Kerberos compatible password hashes are always stored in an encrypted manner in Azure AD.<\/p>\n\n\n\n
Furthermore, The encryption keys are unique to each Azure AD tenant. Indeed, These hashes are encrypted such that only Azure AD DS has access to the decryption keys. Finally, No other service or component in Azure AD has access to the decryption keys.<\/p>\n\n\n\n
The following table lists some common attributes and how they’re synchronized to Azure AD DS.<\/p>\n\n\n\n Sbsequently, Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized. To sign in using Azure AD DS, legacy password hashes required for NTLM and Kerberos authentication are indeed synchronized to Azure AD.<\/p>\n\n\n\n Furthermore, also having knowledge about Synchronization from a multi-forest on-premises environment and What isn’t synchronized to Azure AD DS. <\/p>\n\n\n\n When you enable Azure AD DS, legacy password hashes for NTLM + Kerberos authentication are required. Also, Azure AD doesn’t store clear-text passwords, so these hashes can’t be automatically generated for existing user accounts. Subsequently, Once generated and stored, NTLM and Kerberos compatible password hashes are always stored in an encrypted manner in Azure AD.<\/p>\n\n\n\n Furthermore, The encryption keys are unique to each Azure AD tenant. Indeed, These hashes are encrypted such that only Azure AD DS has access to the decryption keys. Finally, No other service or component in Azure AD has access to the decryption keys.<\/p>\n\n\n\nAttribute in Azure AD DS<\/th> Source<\/th> Notes<\/th><\/tr><\/thead> UPN<\/td> User’s UPN<\/em> attribute in Azure AD tenant<\/td> The UPN attribute from the Azure AD tenant is synchronized as-is to Azure AD DS. Also, The most reliable way to sign in to a managed domain is using the UPN.<\/td><\/tr> SAMAccountName<\/td> User’s mailNickname<\/em> attribute in Azure AD tenant or autogenerated<\/td> The\u00a0SAMAccountName<\/em>\u00a0attribute is sourced from the\u00a0mailNickname<\/em>\u00a0attribute in the Azure AD tenant. Furthermore, If multiple user accounts have the same\u00a0mailNickname<\/em>\u00a0attribute, the\u00a0SAMAccountName<\/em>\u00a0is autogenerated. If the user’s\u00a0mailNickname<\/em>\u00a0or\u00a0UPN<\/em>\u00a0prefix is longer than 20 characters, the\u00a0SAMAccountName<\/em>\u00a0is autogenerated to meet the 20 character limit on\u00a0SAMAccountName<\/em>\u00a0attributes.<\/td><\/tr> Passwords<\/td> User’s password from the Azure AD tenant<\/td> Legacy password hashes required for NTLM or Kerberos authentication are synchronized from the Azure AD tenant. Subsequently, If the Azure AD tenant is configured for hybrid synchronization using Azure AD Connect, these password hashes are sourced from the on-premises AD DS environment.<\/td><\/tr> Primary user\/group SID<\/td> Autogenerated<\/td> The primary SID for user\/group accounts is autogenerated in Azure AD DS. Also, This attribute doesn’t match the primary user\/group SID of the object in an on-premises AD DS environment. Subsequently, This mismatch is because the managed domain has a different SID namespace than the on-premises AD DS domain.<\/td><\/tr> SID history for users and groups<\/td> On-premises primary user and group SID<\/td> The\u00a0SidHistory<\/em>\u00a0attribute for users and groups in Azure AD DS is set to match the corresponding primary user or group SID in an on-premises AD DS environment. Also, This feature helps make lift-and-shift of on-premises applications to Azure AD DS also easier as you don’t need to re-ACL resources.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Synchronization from on-premises AD DS to Azure AD and Azure AD DS<\/strong><\/h3>\n\n\n\n
Password hash synchronization and security considerations<\/strong><\/h3>\n\n\n\n
![\"free](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/Untitled-design-5.png\")
<\/a><\/figure><\/div>\n\n\n\n