How to troubleshoot password synchronization when using an Azure AD sync appliance
This article helps you troubleshoot common issues that you may encounter when you synchronize passwords from the on-premises environment to Microsoft Entra ID by using Microsoft Entra Connect.
Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2855271
Note
Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.
Before you perform the troubleshooting steps, make sure that you have the latest version of Microsoft Entra Connect installed.
Additionally, make sure that directory synchronization is in a healthy state. For more information, see Troubleshoot object synchronization with Microsoft Entra Connect Sync.
In this scenario, passwords of most users appear to be syncing. However, there are some users whose passwords appear not to sync. The following are scenarios in which a user can't sign in to a Microsoft cloud service, such as Office 365, Azure, or Intune.
Scenario 1: The "User must change password at next logon" check box is selected for the user's account
To resolve this issue, follow these steps:
- Take one of the following actions:
- In the user account properties in Active Directory Users and Computers, clear the User must change password at next logon check box.
- Have the user change their on-premises user account password.
- Enable the ForcePasswordChangeOnLogOn feature on the Microsoft Entra Connect server.
- Wait a few minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID.
To resolve this issue, follow these steps:
- Have the user change their on-premises user account password.
- Wait a few minutes for the change to sync between the on-premises AD DS and Microsoft Entra ID.
Possible causes are duplicate user names or email addresses.
To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in the on-premises AD DS. You can install IdFix at the following Microsoft website: IdFix DirSync Error Remediation Tool
For more info about how to troubleshoot this issue, see One or more objects don't sync when using the Azure Active Directory Sync tool
In this scenario, the user is moved to a scope that now allows the user to be synced. It could be when filtering is set up for domains, organizational units, or attributes.
To resolve this issue, see the How to perform a full password sync section.
Scenario 5: Users can't sign in by using a new password but they can sign in by using their old password
In this scenario, you're using the Azure AD Sync Service together with password synchronization. After you disable and then re-enable directory synchronization, users can't sign in by using a new password. However, their old password still works.
To resolve this issue, re-enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.
In this scenario, the password hash doesn't successfully sync to the Azure AD Sync Service. If the user account was created in Active Directory running on a version of Windows Server earlier than Windows Server 2003, the account doesn't have a password hash.
In this scenario, passwords of all users appear not to sync. It usually occurs if one of the following conditions is true:
- The Synchronize now check box wasn't selected.
- You enabled password synchronization after directory sync already occurred.
- A full directory sync hasn't yet completed.
Important
Password sync will not start until a full directory sync has completed.
To resolve this issue, first make sure that you enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.
After password synchronization is enabled, you must do a full password sync. See How to perform a full password sync section.
For more information, see Troubleshoot password hash synchronization with Microsoft Entra Connect Sync.
To troubleshoot this issue, see Troubleshoot password hash synchronization with Microsoft Entra Connect Sync
To resolve this issue, see How to switch from Single Sign-On to Password Sync.
The following tables list event ID messages in the Application log that are related to password synchronization.
Event ID | Description | Cause |
---|---|---|
622 | Full password hash synchronization completed for domain: contoso.local | Full password synchronization cycle finishes retrieving the recent passwords from the on-premises AD DS domain. |
623 | Full password hash synchronization completed for forest: contoso.local | Full password synchronization cycle finishes retrieving the recent passwords from the on-premises AD DS forest. |
650 | Provision credentials batch start. Count: 1 | Password synchronization starts retrieving updated passwords from the on-premises AD DS. |
651 | Provision credentials batch end. Count: 1 | Password synchronization finishes retrieving updated passwords from the on-premises AD DS. |
653 | Provision credentials ping start. | Password synchronization starts informing Microsoft Entra ID that there are no passwords to be synced. It occurs every 30 minutes if no passwords have been updated in the on-premises AD DS. |
654 | Provision credentials ping end. | Password synchronization finishes informing Microsoft Entra ID that there are no passwords to be synced. It occurs every 30 minutes if no passwords were updated in the on-premises AD DS. |
656 | Password Change Request - Anchor : H552hI9GwEykZwosf74JeOQ==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08 | Password synchronization indicates that a password change was detected and tries to sync it to Microsoft Entra ID. It identifies the user or users whose password changed and will be synced. Each batch contains at least one user and at most 50 users. |
657 | Password Change Result - Anchor : eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success. | Users whose password successfully synced. |
657 | Password Change Result - Anchor : eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Failed. | Users whose password didn't sync. |
Event ID | Description | Cause | More information |
---|---|---|---|
0 | The following password changes failed to synchronized and have scheduled for retry. DN = CN=Eli McLean,OU=Cloud Objects,DC=contoso,DC=local |
User or users whose password wasn't synced | Configure directory synchronization One or more objects don't sync when using the Azure Active Directory Sync tool |
115 | Access to Windows Azure Active Directory has been denied. Contact Technical Support. | Microsoft Entra credentials were updated through Forefront Identity Manager (FIM). | Run the Microsoft Entra Configuration Wizard again. See Password hash synchronization stops working after you update Microsoft Entra credentials in FIM |
657 | Password Change Result - Anchor : B0H+OD3LM0GEnYODwdPhpg==, Result : failed, Extended Error : | User or users whose password wasn't synced | Configure directory synchronization One or more objects don't sync when using the Azure Active Directory Sync tool |
Event ID | Description | Cause | More information |
---|---|---|---|
0 | The user name or password is incorrect. Verify your user name, and then type your password again. | Microsoft Entra credentials were updated through Forefront Identity Manager (FIM). | Run the Microsoft Entra Configuration Wizard again. See Password hash synchronization stops working after you update Microsoft Entra credentials in FIM |
611 | Password synchronization failed for domain: Contoso.com .Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges. |
Windows Server 2003 domain controllers handle certain scenarios unexpectedly. | Password hash synchronization for Microsoft Entra ID stops working and Event ID 611 is logged |
611 | Password synchronization failed for domain: Contoso.com .Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress). |
It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. | To resolve this issue, update to latest version of the Azure Active Directory Sync tool. |
611 | Password synchronization failed for domain: Contoso.com System.ArgumentOutOfRangeException: Not a valid Win32 |
It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. | To resolve this issue, update to latest version of the Azure Active Directory Sync tool. |
611 | Password synchronization failed for domain: Contoso.com .System.ArgumentException: An item with the same key has already been added. |
It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. | To resolve this issue, update to latest version of the Azure Active Directory Sync tool. |
652 | Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 07e93e8a-cf2d-4f67-9e95-53169c4875e0 Server Name: BL2GR1BBA003. ---> System.ServiceModel.FaultException1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault). | Password synchronization failed when retrieving updated passwords from the on-premises AD DS. | Configure directory synchronization One or more objects don't sync when using the Azure Active Directory Sync tool |
652 | Failed credential provisioning batch. Error: Microsoft.Online.Coexistence. ProvisionRetryException : An error occurred. Error Code: 81. Error Description: Windows Azure Active Directory is currently busy. This operation will be retried automatically. | It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807 | To resolve this issue, update to latest version of the Azure Active Directory Sync tool. |
655 | Failed credential provisioning ping. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 0744fa31-1d9b-453a-83d8-c2555d843802 Server Name: BL2GR1BBA005. ---> System.ServiceModel.FaultException1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault). | Password synchronization failed to inform Microsoft Entra ID that there are no passwords to be synced. It occurs every 30 minutes. | Configure directory synchronization One or more objects don't sync when using Azure Active Directory Sync tool |
655 | The user name or password is incorrect. Verify your user name, and then type your password again. | Microsoft Entra credentials were updated through FIM. | Run the Microsoft Entra Configuration Wizard again. See the following Microsoft Knowledge Base article: Password hash synchronization stops working after updating Microsoft Entra credentials in FIM |
6900 | The server encountered an unexpected error while processing a password change notification: "The user name or password is incorrect. Verify your user name, and then type your password again. |
Microsoft Entra credentials were updated through FIM. | Run the Microsoft Entra Configuration Wizard again. See the following Microsoft Knowledge Base article: Password hash synchronization stops working after updating Microsoft Entra credentials in FIM |
6900 | The server encountered an unexpected error while processing a password change notification: "An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company |
Password sync isn't enabled for the organization. | See the following Microsoft Knowledge Base article: User passwords aren't synced, and "Password Synchronization has not been activated for this company" error is logged in Event Viewer |
To do a full password sync, follow these steps, as appropriate for the Azure AD Sync appliance that you're using.
If you're using the Azure Active Directory Sync tool:
On the server where the tool is installed, open PowerShell, and then run the following command:
Import-Module DirSync
Run the following commands:
Set-FullPasswordSync
Restart-Service FIMSynchronizationService -Force
If you're using the Azure AD Sync Service or Microsoft Entra Connect, run the script that's on this page: Azure AD Sync: How to Use PowerShell to Trigger a Full Password Sync
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.