Azure AD connect cloud not syncing password hash

Question

I have setup Azure AD Connect Cloud. The new product from MS Azure and I am getting green lights across the board that the system is functioning properly. But on-prem password is not working.

• Cloud Sync for my domain has a Healthy Status
• 
• When creating a User or syncing an already existing user from my Test OU. They show up in AzureAD
• am able to add license to either user.
• I have port 80, 443, 8080 all open for outbound connections from my server
• I have open inbound traffic from the firewall for both *.msappproxy.net and *.servicebus.windows.net from any port to port 443 and 80 to the server

When I try to log into https://myapps.microsoft.com as described in the MS Artical. I receive the following error. "Your account or password is incorrect. If you don't remember your password. reset it now"

Authentication Details

Date - 2/3/2021, 6:59:29 AM
Authentication method - Password
Authentication method detail - Password Hash Sync
Succeeded - false
Result detail - Invalid username or password or Invalid on-premise username or password.
Requirement - Primary authentication

Basic Info

Failure reason - Error validating credentials due to invalid username or password.
Status - Failure
Sign-in error code - 50126

Has anyone see this before? Is this a configuration issue on the Azure side? AAD Cloud Connect is suppose to automatically enable the password hash feature.

I have tried disabling and reenabling password hash config from the Azure portal.

Answer 1

I figured out the issue with Azure AD connect cloud not syncing password hash. The issue was the admin account I was using did not have the proper rights to the domain. Once changed I was able to sync hash with no issue.

Steps to resolve this issue.
Open Active Directory Users and Computers
Right Click on the root of your domain Testsystem.local
Click on Properties
Click on Security Tab
Add in the Username you used during installation for "Azure AD Connect Cloud" for local authentication"
Under Permisssions Check "Allow" for Replicating Directory Changes & Replicating Directory Changes All

After that your system should allow Password Hash to sync. (or it did for me atleast)

Answer 2

Hi @Gus Rodriguez , sorry to hear about your problem! This issue happens now and again for a variety of different reasons. If you don't mind, please do the following and see if it resolves the issue:

• Restart the AD Connect wizard.
• If it is still not working, uninstall the AD Connect wizard.
• Download the Microsoft Azure Active Directory Connect
• Reinstall the AD Connect latest version.
• Use the default accounts created during the installation of the AD Connect wizard to synchronize your directory and password hash.

Please let me know if this works. If not, I can assist you further!

Best,
James

Answer 3

I did as you recommended and uninstalled the agent and reinstalled the agent.

During the Agent installation I had to do edit the service accounts (NT SERVICE\AADConnectProvisioningAgent) that launches the "Microsoft Azure AD Connect Provisioning Agent" to a local service account with elevated rights to start the service. Once the Configuration is complete the service is using the service account "provAgentgMSA" I restarted the service from the Azure portal and got a green light with Healthy. But I did receive this error on the first snyc and this is related to my test user.

Any Thoughts?