Share via

Password sync with Azure and on premise

Andy Emerine 61 Reputation points
2021-12-14T17:46:28.597+00:00

I configured Azure AD Connect for the first time this week. I'm using password hash sync and changed the UPN for all users from .local to our .org domain. I'm syncing the mail attribute as the user principal name. Passwords sync fine from Azure to the on prem server. For instance I can change a password for a user in Azure and the user can login fine on a local joined device. There doesn't seem to have been an initial password sync from on prem to Azure. Users cannot sign in to sites like office.com with their existing local AD password unless I first change their password in the 365 admin center. If I change a user password in the local AD the password does not sync to Azure. I do not see any sync errors in the 365 admin center.

I tried running these powershell commands, but these had no affect.
Start-ADSyncSyncCycle -PolicyType Initial
Start-ADSyncSyncCycle -PolicyType Delta

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,947 questions
0 comments
Accepted answer
  1. Andreas Baumgarten 98,711 Reputation points MVP
    2021-12-14T18:31:27.22+00:00

    Hi @Andy Emerine ,

    which sync methods have you configured in AAD Connect? There are 2 options:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback#enable-password-writeback-in-azure-ad-connect

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 98,711 Reputation points MVP
    2021-12-14T19:11:04.363+00:00

    Maybe this is helpful for troubleshooting: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/troubleshoot-pwd-sync

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

  2. Andy Emerine 61 Reputation points
    2021-12-15T15:01:10.483+00:00

    It looks like the issue is resolved. I had to give the Azure Connect service account Replicate Directory Changes and Replicate Directory Changes All AD permissions. Permissions listed in this article: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

    Step by step directions:
    https://www.sharepointdiary.com/2013/08/configure-replicating-directory-changes-in-windows-2008-2012.html

    0 comments