https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable password hash synchronization (PHS). If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync for the following two reasons:
The Users with leaked credentials report in Azure AD warns of username and password pairs, which have been exposed publically. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities.
If an on-premises outage happens, like a ransomware attack, you can switch over to using cloud authentication using password hash sync. This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved.
No comments:
Post a Comment