Troubleshooting Azure AD Connect Password Synchronization
Uncategorized

Troubleshooting Azure AD Connect Password Synchronization

If a client calls in or you notice that Password Sync is showing no recent synchronization like in the image below there are a few things to check for.

 

  1. Make sure Azure AD Connect Service is running correctly. (Open the Synchronization Service icon usually located on a management server.)
  2. On the operations tab look for any errors in the Status column. In this case it shows us no start credentials
  3. At this point I needed to find the AD credential that is used for syncing usually MSOL_xxxxx. You can find this account in the connectors section, then right click on the local domain and select properties.
  4. On the Connect to Active Directory Forest you will see the account that it is using to run this service. At this point you will need to find that account in Active Directory and if the account is just locked try unlocking the account and letting the sync run again.
  5. In this case I was able to see that the password was changed on 3/1 and knew the service had been up longer than that so I reset the password and put the password in connector properties that I had opened earlier and clicked on OK.
  6. Once this is done Microsoft recommends restarting the Azure AD Sync services. Once these were restarted I ran a Delta update on the service to ensure that everything was syncing fine.
    1. Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”
    2. Start-ADSyncSyncCycle -PolicyType Delta
  7. If the it is still not synchronizing the passwords in Office365 you can force the password synch to happen again by basically disabling and re-enabling the password sync with the script below.

 

##Variable please make sure to use your own they can be found in Synchronization Service Manager under the Connections


$adConnector  = "Domain name"
$aadConnector = "domain.onmicrosoft.com - AAD"



##Setting up Powershell for the command

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c

##Disabling and re-enabling Password Sync seems to force them to start syncing again

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Leave a Reply

Your email address will not be published. Required fields are marked *