What is it?
Password sync from Quickpass synchronizes end-user account passwords and password policies between Active Directory and Office 365 / Azure AD as an alternative to Azure AD Connect.
What's wrong with Azure AD Connect?
Many MSP's and IT Departments find Azure AD Connect complicated and difficult to manage.
1. Password synchronization to Office 365 / Azure AD can take up to 15 minutes after a password is reset in Active Directory leading to end-user confusion and increased support tickets.
2. Accounts created in Office 365 first and in Active Directory after breaks the AD Connect password synchronization leading to increased end-user setup, troubleshooting and support tickets.
3. AD Connect requires an Active Directory account with a password that must never expire for its Windows Service and thus poses a potential security risk for a privileged account with a static password.
4. Decommissioning of AD Connect on an Office 365 / Azure AD tenant requires running PowerShell scripts and sometimes days before it shows as unregistered requiring increased technical skills and often leading towards environments being left in an inconsistent state.
5. You can't match any Active Directory account with any Office 365 / Azure AD account to sync their passwords.
What accounts are Supported?
Only End-user accounts are supported
How do I setup accounts with Password Sync?
1. Install the Quickpass server agent on your customers Active Directory domain controller(s)
2. Connect your customers Office 365 / Azure AD tenant to the same Quickpass customer.
3. Import your End-User Accounts and select the option for Matched Accounts (Password Sync: On).
Automatic Import Method
How does Password Sync work?
When an end-user account password is reset in one of the following ways their password is immediately synchronized to Office 365 / Azure AD. One of these events need to occur before the first time the password is synchronized.
1. Quickpass self-serve mobile or web app by the end-user
2. Quickpass web dashboard by a technician
3. On the Active Directory domain controller by a technician
4. On the end-users PC from the change password option in the Ctrl + Alt + Del menu
5. In the password entry screen in IT Glue / My Glue
How are the password policies integrated?
Active Directory Password policy takes precedence over the Office 365 cloud-only account password policy with some exceptions
Maximum Password Age: Active Directory password policy
Minimum Password Age: Active Directory password policy
Minimum Password Length: Active Directory password policy (Exception: If the Active Directory policy is set to < 8 characters Quickpass will change it to 8 characters so it matches the Office 365 cloud-only account minimum password length)
Password Complexity: On. If password complexity is disabled in the Active Directory password policy Quickpass will enable it.
Enforce password history: Active Directory password policy (Exception: If password history is set to 0 then Quickpass will change it to 1 so that it matches the Office 365 cloud only account password policy)
Account lockout threshold: Active Directory password policy (Exception: If account lockout threshold is 11 or greater Quickpass will lower it to 10 so that it matches the Office 365 cloud only account password policy)
Account lockout duration: Active Directory password policy
- Quickpass sets the Office 365 password policy to never expire so that it does not conflict with the Active Directory password expiration policy.
How does the Self-Serve App work with Password Sync Enabled?
- Password Resets: When a password is reset in the self-serve app Quickpass will reset the password in Active Directory and immediately follow by resetting the password in Office 365.
- Password Expiry Notifications: Quickpass will base password expiry notifications on the Active Directory password policy and send notifications when passwords will expire in less than 10 days each day and also when the password expires unless the password is reset.
- Account Lock Events - Active Directory: If an end-user locks themselves out of their Active Directory joined computer they will receive an account locked notification either from the Quickpass mobile app or via SMS when using the web app. End-users can open the mobile or web self-serve apps to unlock their accounts which will unlock their account in Active Directory.
- Account Lock Events - Office 365 / Azure AD: If an end-user account is locked by logging into the Office 365 web dashboard the process to unlock the account is fully automated with Office 365 and cannot be changed. In this case no notifications are sent to the Quickpass self-serve app as there is no option for this in the Microsoft Graph API.
After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time. Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.
- Account Disabled (Blocked / Un-block Sign In): When an end-user account is disabled in Quickpass it will be disabled in Active Directory and the Sign in for Office 365 / Azure AD will be blocked. The functions in the Quickpass self-serve apps will also be disabled immediately preventing the end-user from resetting their password. Similarly, if an end-user account is enabled in Quickpass it will be enabled in Active Directory and the sign in will be un-blocked in Office 365 / Azure AD.