How can we improve Azure Active Directory?

Add hashed password migration to Azure AD B2C

Currently, I can migrate user accounts from an existing database to Azure AD B2C. However, it only accepts unhashed passwords, which is completely useless for any modern system, which should ONLY be using hashed and salted passwords. What would actually make this feature useful is to include fields for hashed password, hash algorithm (any of several standard ones), salt and salt method (i.e., appended, prepended, etc).

84 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Jose Antonio Silva commented  ·   ·  Flag as inappropriate

    Interesting explanation of the current pipe used by AzureAD Connect to send via ServiceBus the Hashed passwords+salt from AD:
    https://www.semperis.com/understanding-azure-ad-password-hash-sync/
    Anyone interested in implementing a proof using this backdoor?
    Wonder if other deviations from the AD Salt mechanism could be supported OOB in AzureAD service?

  • Jose Antonio Silva commented  ·   ·  Flag as inappropriate

    AD Connect service is able to replicate hashed passwords from AD to AzureAD. How is this implemented and why can't this API be documented for 3rd party migration tools?
    Thanks

  • Anonymous commented  ·   ·  Flag as inappropriate

    I'd like to see this too. I think one of the issues with this is that it's likely that the passwords might not meet the complexity requirements... and we currently don't have a way to set our own that I know of. One idea around this that we have talked about is to create the user account with during our current login process before the password is hashed. However, this still might fail for the same reason.

  • Jesse Young commented  ·   ·  Flag as inappropriate

    Having a feature like this would be ideal, however providing a workflow for migrating users from a legacy IDP (that supports some form of federation) would be a good backup.

Feedback and Knowledge Base