Azure AD Connect does not synchronize NTLM and Kerberos credential hashes to Azure AD by default. To use AD domain services, we need to configure Azure AD Connect so that it synchronizes the credential hashes that are required for NTLM and Kerberos authentication. To do that, we need to run the following PowerShell script:
$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$azureadConnector = "<CASE SENSITIVE AZURE AD CONNECTOR NAME>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParamter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
We can find the AD Connector and Azure AD Connector names under Start | Synchronization Service | Connectors:
This completes the configuration part of the Azure AD hybrid setup. Depending on the size of the directory, it can take up to 30 minutes to complete the sync process. Once the process is completed, users can authenticate into Azure AD using their on-premises usernames and passwords.