Office 365 – Force Password Sync with Azure AD

Password hashes are synchronized separately from the user account to the Azure Active Directory by AADSync. If there are issues with hash sync for certain users or even whole domains, there is a great built-in tool to diagnose the issues and to sort the problems on the AADSync server.

1. Diagnose Password Sync Issues

Use the following cmdlet to open an interactive diagnostic test for DirSync.

PS C:\> Invoke-ADSyncDiagnostics

2. Force Sync of Password Hashes with PowerShell

The following short script will force an immediate re-sync of user passwords to the cloud. You'll need the source- and target connector names to initiate the sync process.

# If you are not sure about the source- and target connector names, you can check them by running the following cmdlet:

PS C:\> Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync"
PS C:\> Get-ADSyncConnector | Select type,name

Type        Name
----        ----
Extensible2 alwayshotcafe2020.onmicrosoft.com - AAD
AD          AlwaysHotCafe.com

The Script:

# Define the source and target connectors
$adConnector  = "AlwaysHotCafe.com"
$aadConnector = "alwayshotcafe2020.onmicrosoft.com - AAD"

Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync"

# Update the existing connector with the option to force full password sync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c

# Disable and re-enable Azure AD Connect to trigger the password sync
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true