Now that you have heard Password Hash Sync is available, and you are currently using AD FS, now you want to switch from AD FS to Password Hash Sync.


First question you should ask yourself, should I really switch?


Here is a list of reasons to keep AD FS around…


  • ADFS can be configured such that users who are already logged on to a domain joined and connected machine do not require any password re-entry to sign in at Office 365. This gives you true single sign-on since re-entry of the password is not required. With Directory Sync and password hash synchronization a user must still re-enter their password, although it will be the same password as they use on-premises.
  • ADFS allows for client access filtering, which restricts access to Exchange Online to users based on their IP address.
  • ADFS will honor Active Directory configured login time restrictions for users.
  • ADFS can include web pages for users to change their passwords while they are outside the corporate network.
  • With ADFS the authentication decision is always made on-premises and no password hashes are synchronized to the cloud. This may be obvious but can be sometimes a security policy requirement.
  • With ADFS an administrator can immediate block a user to remove access where-as Directory Sync synchronizes these changes every three hours. Only password changes are synchronized by Directory Sync every two minutes.
  • ADFS permits use of on-premises deployed multi-factor authentication products. Note that Azure AD supports multi-factor authentication but many third party multi-factor authentication products require on-premises integration.
  • Where Microsoft Forefront Identity Manger (FIM) is required for some other FIM capability. FIM directory synchronization does not include password hash synchronization so ADFS will still be required for SSO login.
  • Some on-premises to cloud hybrid scenarios require ADFS such as hybrid search.



Ok, I don’t care to much about the benefits of AD FS, what are the advantages of Password Hash Sync?


  • A single server is needed vs. redundant and scaled out servers.
  • No dependency with on-premises hardware or datacenter (if Directory Sync with Password Sync server dies – just replace the Directory Sync server)
  • There is no impact accessing cloud services with an on-premises outage because the identity is managed in Azure AD


I am ready to switch, let's get started


To learn more about how to switch from single sign on to Password Synchronization, go to


To learn more about Password Synchronization, go to