Add hashed password migration to Azure AD B2C
Currently, I can migrate user accounts from an existing database to Azure AD B2C. However, it only accepts unhashed passwords, which is completely useless for any modern system, which should ONLY be using hashed and salted passwords. What would actually make this feature useful is to include fields for hashed password, hash algorithm (any of several standard ones), salt and salt method (i.e., appended, prepended, etc).
Anonymous
shared this idea
This is not planned for the next 6 months. If this is needed for your scenario, please continue voting and we will re-evaluate at a later.
4 comments
-
Jose Antonio Silva
commented
Interesting explanation of the current pipe used by AzureAD Connect to send via ServiceBus the Hashed passwords+salt from AD:
https://www.semperis.com/understanding-azure-ad-password-hash-sync/
Anyone interested in implementing a proof using this backdoor?
Wonder if other deviations from the AD Salt mechanism could be supported OOB in AzureAD service? -
Jose Antonio Silva
commented
AD Connect service is able to replicate hashed passwords from AD to AzureAD. How is this implemented and why can't this API be documented for 3rd party migration tools?
Thanks -
Anonymous
commented
I'd like to see this too. I think one of the issues with this is that it's likely that the passwords might not meet the complexity requirements... and we currently don't have a way to set our own that I know of. One idea around this that we have talked about is to create the user account with during our current login process before the password is hashed. However, this still might fail for the same reason.
-
Jesse Young
commented
Having a feature like this would be ideal, however providing a workflow for migrating users from a legacy IDP (that supports some form of federation) would be a good backup.