Azure AD Connect Password sync: no recent synchronization

PowerADM.com / Active Directory / Azure AD Connect Password sync: no recent synchronization

In this article, we will look at the issue of syncing passwords from on-premises Active Directory to Azure via Azure AD Connect.

The following warning appeared on the Azure portal:

Azure AD Connect
Password sync: no recent synchronization

Azure AD Connect Password sync: no recent synchronization

The issue occurred after shutting down the Windows Server host with the Azure AD Connect role for several hours during infrastructure downtime. Synchronizing user attributes from the on-prem AD to Azure worked fine, but password synchronization stopped working.

You can use the Invoke-ADSyncDiagnostics command to troubleshoot Azure AD connect password synchronization problems:

Import-Module ADSyncDiagnostics
Invoke-ADSyncDiagnostics -PasswordSync
The Invoke-ADSyncDiagnostics cmdlet is part of the ADSyncDiagnostics PowerShell module. It is installed together with the Azure AD Connect.

In our case, the command returned:

Password hash synchronization cloud configuration is enabled.
Password hash synchronization is enabled.
No password hash synchronization heartbeat is detected.

Invoke-ADSyncDiagnostics - No password hash synchronization heartbeat is detected

According to Microsoft documentation, each connector has its own password synchronization channel. If the password synchronization channel is established, but the connector doesn’t need to sync password changes (passwords in the on-premises AD DS have not been updated), then a heartbeat event with EventID 654 will be generated in the Application event log every 30 minutes:

Provision credentials ping end.

If, after running Invoke-ADSyncDiagnostics, there are no such events in the log for the last three hours, an error is returned.

If there is no heartbeat, you need to do a full sync of all passwords using the following PowerShell script:

$adConnector = "<AD_CONNECTOR_NAME_CASE_SENSITIVE>"
$aadConnector = "<AAD_CONNECTOR_NAME_CASE_SENSITIVE>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.
        ObjectModel.ConfigurationParameter `
        "Microsoft.Synchronize.ForceFullPasswordSync", `
    String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration `
    -SourceConnector $adConnector `
    -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration `
    -SourceConnector $adConnector `
    -TargetConnector $aadConnector -Enable $true

Set the names of your connectors in the values of the $adConnector and $aadConnector variables (they are case-sensitive!). They can be obtained with the command:

Get-ADSyncConnector | Select Type,Name

After executing the script, the following message should appear:

Password Hash Sync Configuration for source "yourdomain" updated.

Wait for a little and run the command again

Invoke-ADSyncDiagnostics

The following message should appear:

The latest password hash synchronization heartbeat is detected at xx/xx/xx

If you then run Invoke-ADSyncDiagnostics, the result will be as follows:

Azure AD Connect - Latest password hash synchronization heartbeat is detected

The Azure portal (or Microsoft 365 admin center) also displays a message that password sync is now working:

Password sync: recent synchronization

Azure Connect - Password sync: recent syn

Leave a Reply

Your email address will not be published. Required fields are marked *