OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

Home » Office 365 – Force Password Sync with Azure AD

Office 365 – Force Password Sync with Azure AD

- by Zsolt Agoston - last edited on

Password hashes are synchronized separately from the user account to the Azure Active Directory by AADSync. If there are issues with hash sync for certain users or even whole domains, there is a great built-in tool to diagnose the issues and to sort the problems on the AADSync server.

1. Diagnose Password Sync Issues

Use the following cmdlet to open an interactive diagnostic test for DirSync.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
PS C:\> Invoke-ADSyncDiagnostics
PS C:\> Invoke-ADSyncDiagnostics
PS C:\> Invoke-ADSyncDiagnostics

Option "2" is password sync

Office 365 – Force Password Sync with Azure AD

We check if the password hash synchronization is working fine for a specific user, Alice

Office 365 – Force Password Sync with Azure AD

It fails as the user is not synced to Azure AD at all.

Office 365 – Force Password Sync with Azure AD

After moving her to a syning OU, and initiating a sync cycle, we check again. This time it is successful

Office 365 – Force Password Sync with Azure AD

2. Force Sync of Password Hashes with PowerShell

The following short script will force an immediate re-sync of user passwords to the cloud. You'll need the source- and target connector names to initiate the sync process.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# If you are not sure about the source- and target connector names, you can check them by running the following cmdlet:
<br>PS C:\> Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync"
PS C:\> Get-ADSyncConnector | Select type,name
Type Name
---- ----
Extensible2 alwayshotcafe2020.onmicrosoft.com - AAD
AD AlwaysHotCafe.com
# If you are not sure about the source- and target connector names, you can check them by running the following cmdlet: <br>PS C:\> Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" PS C:\> Get-ADSyncConnector | Select type,name Type Name ---- ---- Extensible2 alwayshotcafe2020.onmicrosoft.com - AAD AD AlwaysHotCafe.com
# If you are not sure about the source- and target connector names, you can check them by running the following cmdlet:

PS C:\> Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync"
PS C:\> Get-ADSyncConnector | Select type,name

Type        Name
----        ----
Extensible2 alwayshotcafe2020.onmicrosoft.com - AAD
AD          AlwaysHotCafe.com

The Script:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# Define the source and target connectors
$adConnector = "AlwaysHotCafe.com"
$aadConnector = "alwayshotcafe2020.onmicrosoft.com - AAD"
Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync"
# Update the existing connector with the option to force full password sync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
# Disable and re-enable Azure AD Connect to trigger the password sync
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
# Define the source and target connectors $adConnector = "AlwaysHotCafe.com" $aadConnector = "alwayshotcafe2020.onmicrosoft.com - AAD" Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" # Update the existing connector with the option to force full password sync $c = Get-ADSyncConnector -Name $adConnector $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null $p.Value = 1 $c.GlobalParameters.Remove($p.Name) $c.GlobalParameters.Add($p) $c = Add-ADSyncConnector -Connector $c # Disable and re-enable Azure AD Connect to trigger the password sync Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
# Define the source and target connectors
$adConnector  = "AlwaysHotCafe.com"
$aadConnector = "alwayshotcafe2020.onmicrosoft.com - AAD"

Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync"

# Update the existing connector with the option to force full password sync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c

# Disable and re-enable Azure AD Connect to trigger the password sync
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Reader Interactions

Comments

Your email address will not be published. Required fields are marked *