Azure AD Connect Not Syncing Password

Question

Azure AD Connect Not Syncing Password

rr-4098 2,051

I have setup Azure AD connect to sync onprem AD accounts and pwds to Azure using Password Hash. The first couple of users I moved to a OU to sync are members of the Domain Admin group. I have enabled inheritance and see their accounts picked up by Azure AD Connect (I know this will revert back by design and its not a permeant fix). The problem is I see their account now listed as synced from onprem in Azure and it shows a last sync time as current, but when I had them change their onprem pwd it did not reflect the new password timestamp in the Azure portal nor did Outlook prompt them for their new password.

Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator

2023-08-03T11:03:37.5666667+00:00

Can you share your Azure AD Connect configuration?
rr-4098 2,051 Reputation points

2023-08-04T15:28:57.8433333+00:00

Issue turned out to be permissions related in onprem AD.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-08-23T20:49:15.89+00:00

@rr-4098

I wanted to check in and see if you had any other questions?

Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator

2023-08-03T11:03:37.5666667+00:00

Can you share your Azure AD Connect configuration?
rr-4098 2,051 Reputation points

2023-08-04T15:28:57.8433333+00:00

Issue turned out to be permissions related in onprem AD.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-08-23T20:49:15.89+00:00

@rr-4098

I wanted to check in and see if you had any other questions?

Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Sandeep G-MSFT 20,906 Microsoft Employee Moderator

@rr-4098

You can try running the below script in your AD connect server and then check if the passwords get's synced.

$adConnector = "on-premises AD connector"

$aadConnector = "Azure AD connector - AAD"

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

NOTE: Change the "on-premises AD connector" and "Azure AD connector - AAD" values according to your AD connect connectors

Let me know if you have any further questions on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

rr-4098 2,051 Reputation points

2023-08-03T14:02:45.4866667+00:00

I ran the script and is ran successfully, and see's the accounts in the target OU, but not picking up their updated pwd. The Azure accounts were in place before Azure AD was setup so I had to hard link the accounts. In the portal they are showing a synced with onprem. I have done this same process for other customer and never ran into an issue.
rr-4098 2,051 Reputation points

2023-08-03T14:54:31.6633333+00:00

So I created a new account onprem that is not a member of the Domain Admins group, placed it into our Sync OU and a couple of minutes later the account showed up in Azure. Which is great, the problem is when I changed the password on the onprem account it did not update in Azure.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-08-04T04:19:44.5233333+00:00

@Sandeep G-MSFT

@rr-4098

Once the password is changed for the newly created admin account, wait for 5 mins and check the application event logs in AD connect server. Check and confirm if you see 656 or 657 events. Usually these events should get triggered once the password change is picked by AD connect.

If you still don't see these events, we will work on this issue offline as this might need little deeper investigation.

Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-08-07T03:41:56.08+00:00

@rr-4098

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.

You have fixed the issue by setting permission on the AD connect service account for Password sync on on-premises AD.

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

KAM9774 0

I can't get this script to run. Getting the below error. What do I need to install?

New-Object : Cannot find type [Microsoft.IdentityManagement.PowerShell.]: verify that the assembly containing this type is loaded.
At line:5 char:6
+ $p = New-Object Microsoft.IdentityManagement.PowerShell.
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand
 
ObjectModel.ConfigurationParameter : The term 'ObjectModel.ConfigurationParameter' is not recognized as the name of a cmdlet, function, script file, or operable 
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:6 char:9
+         ObjectModel.ConfigurationParameter `
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ObjectModel.ConfigurationParameter:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
The property 'Value' cannot be found on this object. Verify that the property exists and can be set.
At line:9 char:1
+ $p.Value = 1
+ ~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Share via

Azure AD Connect Not Syncing Password

1 answer

Your answer