In this article, we will look at the issue of syncing passwords from on-premises Active Directory to Azure via Azure AD Connect.
The following warning appeared on the Azure portal:
Azure AD Connect
Password sync: no recent synchronization
The issue occurred after shutting down the Windows Server host with the Azure AD Connect role for several hours during infrastructure downtime. Synchronizing user attributes from the on-prem AD to Azure worked fine, but password synchronization stopped working.
You can use the Invoke-ADSyncDiagnostics
command to troubleshoot Azure AD connect password synchronization problems:
Import-Module ADSyncDiagnostics
Invoke-ADSyncDiagnostics -PasswordSync
Invoke-ADSyncDiagnostics
cmdlet is part of the ADSyncDiagnostics PowerShell module. It is installed together with the Azure AD Connect. In our case, the command returned:
Password hash synchronization cloud configuration is enabled.
Password hash synchronization is enabled.
No password hash synchronization heartbeat is detected.
According to Microsoft documentation, each connector has its own password synchronization channel. If the password synchronization channel is established, but the connector doesn’t need to sync password changes (passwords in the on-premises AD DS have not been updated), then a heartbeat event with EventID 654 will be generated in the Application event log every 30 minutes:
Provision credentials ping end.
If, after running Invoke-ADSyncDiagnostics
, there are no such events in the log for the last three hours, an error is returned.
If there is no heartbeat, you need to do a full sync of all passwords using the following PowerShell script:
$adConnector = "<AD_CONNECTOR_NAME_CASE_SENSITIVE>"
$aadConnector = "<AAD_CONNECTOR_NAME_CASE_SENSITIVE>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.
ObjectModel.ConfigurationParameter `
"Microsoft.Synchronize.ForceFullPasswordSync", `
String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration `
-SourceConnector $adConnector `
-TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration `
-SourceConnector $adConnector `
-TargetConnector $aadConnector -Enable $true
Set the names of your connectors in the values of the $adConnector and $aadConnector variables (they are case-sensitive!). They can be obtained with the command:
Get-ADSyncConnector | Select Type,Name
After executing the script, the following message should appear:
Password Hash Sync Configuration for source "yourdomain" updated.
Wait for a little and run the command again
Invoke-ADSyncDiagnostics
The following message should appear:
The latest password hash synchronization heartbeat is detected at xx/xx/xx
If you then run Invoke-ADSyncDiagnostics, the result will be as follows:
The Azure portal (or Microsoft 365 admin center) also displays a message that password sync is now working:
Password sync: recent synchronization