Forum Discussion
Users is AD synced, but not able to sync passsword
Hi,
we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced
For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center
On the other hand in Entra itself I cannot change the password
How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc.
I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled
3 Replies
When you use Entra Connect, you need to make sure Password Hash Sync is enabled. You can easily query it using Grah
https://graph.microsoft.com/v1.0/directory/onPremisesSynchronizationAnd in the features attribute there check if - passwordSyncEnabled Is True.
If it is enabled, you've got to make sure the users that you want their password to sync are also synced to Entra ID. you can view it by looking in the UI if they have the Synced "Yes"/"No". If they are not synced and you want their password hash to sync, you can do it using Soft Matching with the proxy address. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-existing-tenant
If they are synced, and you have password hash sync enabled, the problem might be a bit more complicated. But I would start with the following checks.
On your screenshot from the list of users in Entra ID you can see the column "On-premises sync enabled" and the status for each user. One possible cause for the inconsistencies you're describing, would be that some users are getting synced and some are not.
When you can't reset the password from Entra ID, check if the status of the on-premise sync is enabled. When checking the password reset from the M365 admin center, make sure to check for the exact same user's UPN that you're checking it in Entra ID with.
You would need to check if the users whose "On-premises sync enabled" status is set to "no", are in the correct OU in your AD, that is scoped to sync with Entra.
If they are in the same OU, check if there are any other sync filters / rules preventing some users from syncing.
Check the Entra Connect Health status for errors. URL of the blade in Entra ID: https://entra.microsoft.com/#view/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/~/SyncErrors
Common causes for sync conflicts are UPNs and primary smtp address attributes.
I recommend reproducing the sync issue with a test account and then going through steps that could resolve it, with minimizing user interruptions first.
Also, when all the sync conflicts are resolved and all users are only using one password, you can then configure password writeback. As the name implies this enables the password change in Entra ID to be written back to AD. But I wouldn't go forward with this configuration if there are still users who are not synced but should be, this seems to me like the more pressing issue.
