As you know Azure Active Directory Connect (AAD Connect) is used to synchronize your on-premises Active Directory objects (users, groups, devices) to Azure AD with the option to synchronize the user’s hash password (aka password sync, aka password hash sync, aka PHS).
Well, with this new version – 220.127.116.11 – available for download here https://go.microsoft.com/fwlink/?LinkId=615771 you can now configure selective PHS if you want to exclude some accounts from synchronizing the password hash to Azure AD.
To do so you will have to update an attribute (adminDescription) on your user’s Active Directory objects and edit the synchronization rules.
Depending of the number of user’s objects to exclude for the password hash synchronization, the process is a little bit different.
If the number of excluded user for PHS is smaller than the one included for PHS, then you will need to use the value PHSFiltered; otherwise (number of excluded users larger than the number of included users), then the value is PHSIncluded.
After having edited the adminDescription attribute with the value matching your requirement, you will have to stop the synchronization before editing the rule
Set-ADSyncScheduler -SyncCycleEnabled $false
Then using the Synchronization rules editor, edit the rule In from AD – User AccountEnabled and make an editable copy as prompted when editing a built-in rule
Then add a clause from the Scoping filter section to match the below condition
- Attribute: adminDescription
- Operator: equal
- Value: either PHSFiltered or PHSIncluded depending of your context (see above)
Then you can re enable the synchronization with the command
Set-ADSyncScheduler -SyncCycleEnabled $true
And finally run a full sync with the command
Start-ADSyncSyncCycle -PolicyType Initial
NOTE if the adminDescription attribute is not populated or does not have the correct value, then PHS will continue to work as before.