How to troubleshoot password sync issues on Office365 and Azure AD on AD Connect and DirSync
We often come across issues where all of a sudden passwords stop syncing to Office 365 and Azure AD. Now its not known why this happens but certainly there's a fix for it. But even before we start troubleshooting look out for events in the event viewer because its highly possible that perhaps you are looking at the wrong direction.
If password sync stops working you should come across events like 611 (As shown in the image below) but this is not the only event that you shall see there might be others like 0,605 etc. Its quite important to study the events before you draw a conclusion. I have seen situations where the DirSync is broken or there is a duplicate identity on cloud and people assume it to be a password sync issue.
If you are using DirSync the troubleshooting is quite simple. Here are the steps:-
Launch Poweshell as Admin on the DirSync Server (Note this works for the latest versions of DirSync)
Run Command Import-Module DirSync
Run Command Set-FullPasswordSync
Restart the FIM Service (Forefront Identity Manager Service) , this shall force sync passwords and you shall be able to see event 656 and 657 which means the password sync is working. But make sure you get to see both 656,657. If you only get 656 that means there still is an issue with password sync.
Now lets talk about AD connect. Microsoft had released a tool called Microsoft Azure AD Sync prior to AD Connect. This was a major update of the exsiting DirSync tool which is still available and supported by Microsoft. Though this tool came with many new features like password writeback etc. It had a major speed bump when it came to troubleshooting password sync. Problem was that you have to key in a bunch of powershell commands to get this fixed. Fortunately, if you don't know the commands you are at the right place and these commands work in AD Connect as well.
The commands are as follows:-
Open Powershell Module as an Admin
Run Command Import-Module AdSync
Run Command $Conn=Get-ADSyncConnector | Select Name
Once the above command is executed, Run $Conn , this will show you the names of the connectors. You should be seeing two connectors , one belonging to the local AD, another being Azure AD Connector. Make sure you note down the order in which you see these connector as in the next command they will help you identify the index number of the array in which they have been stored. If my local AD connector appears first the index number will be 0 , if it appears second then the index number will be 1.
Next you need to run the command
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $Conn.Name -TargetConnector $Conn.Name -Enable $false . Make sure that the source connector is the local AD connector as the SOA for password sync is at the local AD.
Next you need to run Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $Conn.Name -TargetConnector $Conn.Name -Enable $true
Once you run the commands above you should see two messages stating "Passwors Sync Hash has been updated" as shown in the image below. Check for the events 656,657 Issue will be resolved
Note:- Make sure you dont copy and paste these commands , as they are in an HTML format there might be white spaces that might cause issues.