Azure AD Connect-

Question

When I set up Azure AD Connect, I initially set the single sign on method to Password Synchronization. This syncs users passwords from the on-premises AD to the cloud (O365). This worked fine and users can log into Office 365 ( https://login.microsoftonline.com ) with their domain password.

We are now moving to a 3rd party Identity Provider for SSO. This SSO provider is not ADFS. Per Microsoft's documentation, I am trying to set the single sign on method to "Do Not Configure" but it's greyed out now. How do I disable password synchronization in favor for federated SSO with a 3rd party Identity Provider?

Answer 1

Steps:

You could try disabling the Password Synchronization via PowerShell:

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $Local -TargetConnector $Remote -Enable $False

Run this script: (just replace the connector names)

$adConnector  = "fabrikam.com"
$aadConnector = "aaddocteam.onmicrosoft.com - AAD"

Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c     
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

What do the above steps do exactly:

The command is from the force password sync script as shown here ( http://social.technet.microsoft.com/wiki/contents/articles/28433.how-to-use-powershell-to-trigger-a-full-password-sync-in-azure-ad-sync.aspx ) which triggers the full password sync by switching it Off and then to On. The one above is just the command for "Off" which is indicated by the switch (-Enable $false)

Results:

You would notice that the Password Synchronization service would be disabled even though it may/may not be indicated through the GUI (Azure AD Connect wizard) but you can definitely trust the output of a few PowerShell commandlets which would indicate the status of the password sync given in the Verification Steps below.

Verification:

You could verify if the password synchronization is completely switched off by:

1.Checking the value of "PasswordSynchronizationEnabled" in the output of Get-MsolCompanyInformation command:

Get-MsolCompanyInformation

2.Changing a User's password and then monitoring whether the "Password Sync" is triggered or not by monitoring the Events 656 and 657 in the Application event log of the Synchronization Server.

3.You could try the "Heartbeat Script" as shown here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization to get the status of the Password Synchronization.