0

I am looking for a Powershell, Azure CLI, or other type of script or program which will allow me to backup and restore all user attributes including the password hash.

This azure cli command gives me much of what I want, but doesn't include the password hashes:

az ad user list --verbose

The answer to this question from 3 years ago indicates that you can use the PowerShell get-msoluser command, but this command only seems to return UserPrincipalName, DisplayName, and isLicensed. It does not return the password hash.

This product from Quest indicates that there is some way to get these password hashes.

Does anyone know of a way to get all of the user properties, including the password hash using a script or program?

Greg Thatcher
  • 1,303
  • 20
  • 29
  • Where does that page say anything about passwords? I believe you are making a poor assumption about the ability of that product. – Shawn Tabrizi Sep 13 '17 at 21:55

1 Answers1

0

Azure Active Directory does not expose any APIs which expose any part of the user's password, including the password hash.

I believe the product you are referencing is simply using the "recycle bin" of Azure Active Directory to restore soft-deleted items.

There is a tutorial on how to do this through the MSOL PowerShell Module here.

At no point will you gain access to the password hash of the user through this process.

Shawn Tabrizi
  • 12,206
  • 1
  • 38
  • 69
  • Microsoft has products such as "Azure AD Connect" (which apparently replaced another product called "DirSync") which can supposedly sync passwords in both directions. Maybe there is some secret api that gives access to these password hashes in Azure AD?? – Greg Thatcher Sep 13 '17 at 23:06
  • I believe the APIs which power those products are not publicly available. Ultimately, I don't think as a consumer you will ever be able to access password hashes from the cloud identity system; and honestly that is probably for the best. – Shawn Tabrizi Sep 13 '17 at 23:47