Office 365: Disabling password synchronization and password remnants…


A feature of directory synchronization (Azure AD Connect) is the ability to synchronize on premises Active Directory passwords to Azure Active Directory for the purposes of signing on using a single password.  The use of the on premises password is only valid when the domain you are authenticating to is not federated.  There are also customers that utilize federation as their authentication method but also pre-enable password synchronization as a backup method for authentication.  This would become relevant in a long duration federated authentication failure where the domain is converted to managed as a workaround.

 

In other instances password synchronization was enabled by mistake.  Password synchronization is enabled and disabled by toggling the option in the Azure AD Connect configuration wizard.  When the on-premises password hash has been synced to Azure Active Directory disabling password synchronization does not remove the stamped password.  When disabled new passwords will not sync but the old password will remain.

 

An administrator I worked with recently discovered they enabled password synchronization by mistake.  After disabling their password sync their security team wanted to ensure that there were no remnants of the password remaining in Office 365.  Unfortunately the password field cannot be set to NULL.  In our case we looked at options to process all users within a given UPN and set their password to a randomly generated set of characters.  The maximum password in Azure AD at the time this post was authored is 16 characters with a password containing at least one special character and one number. 

 

To accomplish this function we developed the script you will find below.  The script takes all the given users for a particular domain and iterates through each of them setting a random 16 character password.  The script concludes by logging all of the users changes to a CSV file for reference.  NOTE:  The CSV file contains the user names and passwords and should be secured or dealt with appropriately after validating the success of failure of the change.

 

#===============================================================================
#
#Author:  Timothy J. McMichael (timmcmic@microsoft.com)
#
#Script Purpose:
#
#Randomize passwords on MSOL account after disabling password synchronization.
#
#Date:  10/4/2017
#
#Revision History:
#
#10/4/2017 Initial Development
#
#===============================================================================

#START

#Declare variables.

$acsii=$NULL #ascii character set to randomize the password from.
[int]$passwordLength=16 #Maximum MSOL password length is 16 characters.
[array]$outputTracking=$NULL #Array to track the results of this work.


#Create password change functions.
#The following functions and structures are based on the published blog post by Ed Wilson over at the scripting guys.
#All props for coming up with this belongs to them.
#
https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/03/generating-a-new-password-with-windows-powershell/

Function GET-Temppassword()
{
    Param
    (
    [int]$length=10,
    [string[]]$sourcedata
    )
 
    For ($loop=1; $loop –le $length; $loop++)
    {
                $TempPassword+=($sourcedata | GET-RANDOM)
    }

return $TempPassword
}

#Attempt to connect to MSOL server. 

Function try-ConnectMsolServer()
{
    #Clear the error variable.

    $Error.Clear()

    #Get the credential

    $credential=Get-Credential

    #Attempt connection to service.

    Connect-MsolService -Credential $credential

    #If the error count is greater than 0 (uanble to connect) throw exception and discontinue.

    if ($error.Count -gt 0)
    {
        Throw "We were unable to connect to the MSOL Service - Review Errors"
    }
}

#Define the ascii characeter set.

For ($a=48;$a –le 122;$a++)
{
    $ascii+=,[char][byte]$a
}

#Import MSOnline Module.

Import-Module MSOnline -Verbose

#Try to connect to the MSOL service.

try-connectMsolServer

#Connection to MSOL Service Successful.
#Gather all users from the MSOL Service
#NOTE:  THIS COMMAND ASSUMES YOU WANT TO RANDOMIZE THE PASSWORD OF ALL USERS at a given UPN.
#THIS COMMAND MAY NEED TO BE MODIFIED IF A SUBSET OF USERS NEEDS TO BE SELECTED.

$users=get-msoluser -All | where{$_.userPrincipalName -like "*contoso.com"}

#Iterate through each user and process a password change.

foreach ($user in $users)
{
    #Clear the error variable.

    $Error.Clear()

    #Create the output tracking object for each user.

    $outputObject=New-Object PSOBJECT

    #Obtain the new password.
   
    $newPassword=get-temppassword -length $passwordLength -sourcedata $ascii

    #Add the UPN, OBJECTID, and NEWPASSWORD to our object.

    Add-Member -InputObject $outputObject -MemberType NoteProperty -Name UPN -Value $user.UserPrincipalName
    Add-Member -InputObject $outputObject -MemberType NoteProperty -Name OBJECTID -Value $user.ObjectId
    Add-Member -InputObject $outputObject -MemberType NoteProperty -Name PASSWORD -Value $newPassword

    #Attempt to set the users password.
    #If you are in a managed domain and you intend to distribute these password for some reason you can also include the force change password switch to have users modify to self generated password.

    Set-MsolUserPassword -ObjectId $user.ObjectId -NewPassword $newPassword

    #Verify error return and determine if user password change was successful.

    if ($Error.Count -gt 0)
    {
        #User password change was not successful - update object sucess field with false.

        Add-Member -InputObject $outputObject -MemberType NoteProperty -Name SUCCESS -Value FALSE
    }
    else
    {
        #user password change was successful - update object success field with TRUE.

        Add-Member -InputObject $outputObject -MemberType NoteProperty -Name SUCCESS -Value TRUE
    }

    #Add the output object to the give output tracking array.

    $outputTracking+=$outputObject
}

#Export the output tracking array to a CSV file.

$outputTracking | Export-Csv -Path D:\Test.csv

#END


Comments (0)

Skip to main content