PowerShell Basics: How to Force a Full Password Sync in AzureAD Connect
Published Oct 10 2019 12:01 AM 38.8K Views
Microsoft

Before starting this post, the team would like to thank all the contributions shared by the PowerShell community found on Reddit for their support on exploring PowerShell automation capabilities.  The outpouring of suggestions and sharing of scripts was awesome and has resulted in another question asked for us as a community to address.

 

After reading the previous PowerShell Basics article, some from the ITPRO community have reached out inquiring how to force the sync of only passwords and not the entire contents of Active Directory.  It appears the ask comes in light of troubleshooting Office 365 password sync issues.  This post will focus on steps to address this via PowerShell.
 
Lets begin.

 

  1. Run PowerShell
     
    Run PowerShell Force AzureAD Password SyncRun PowerShell Force AzureAD Password Sync
     
  2. Assign the local Active Directory $adConnector value and remember it is case sensitive: 
     
    $adConnector = "<insert local connector name here>"
  3. Assign the AzureAD $aadConnector value and remember it is case sensitive: 
     
    $aadConnector = "<insert AzureAD connector name here>"
     
  4. Install the AzureAD Sync module:
     
    Import-Module ADSync

     

  5. Create a new ForceFullPasswordSync configuration parameter object
     
    $c = Get-ADSyncConnector -Name $adConnector
     
  6. Update the existing connector with the following new configuration. Remember to enter each line separately: 
     
    $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
    $p.Value = 1
    $c.GlobalParameters.Remove($p.Name)
    $c.GlobalParameters.Add($p)
    $c = Add-ADSyncConnector -Connector $c
     
  7. Disable Azure AD Connect:
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
     
  8. Re-enable Azure AD Connect to force a full password synchronization:
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true

Synchronization of legacy password hashes to Azure AD may take some time and depend on directory size in terms of number of accounts and groups. Once completed, the passwords are synchronized to the to Azure AD followed by syncing to the Azure AD DS managed domain.

 

Microsoft also provides a great document entitled Troubleshoot password hash synchronization with Azure AD Connect sync which details additional tactics to address possible sync issues.

 

10 Comments
Brass Contributor

How can i sync a password for single user only?

i can do it in the troubleshoot tool in AAd connect. but i cant find the PS commands to do it?

 

I have a problem when we create new users, that are disabled..

1. New user = disabled in AD

2. user synced to Azure AD by aad connect.

3. Flag "user must change password next logon" is set. ( here i hoped the Password would allready be synced, but apparently not) 

4. then i enable user

5. Sync again to AAAD

6. User unable to sign in ( no password hash are synced)

7. i try removing  Flag "user must change password next logon", and wait a litle

8. user still not able to sign-in ( no password are synced)

 

I then found out int he metaverse object log, it says: passwordsync: filteredByTarget.
docu says it is because must change pw flag is set. BUT IT IS NOT

and User account controll says 512 = enabled , and pwdLastSet are a date, and not "0".

 

And i thinks this is a bug. But any how, i want to manualy sync this users PH to AAD.

 

Only when i reset the users password it gets synced again, with no other modifications

 

Brass Contributor

I found an answer to my own question :)

An undocumented command in the aadconnect module

 

Invoke-ADSyncCSObjectPasswordHashSync -ConnectorName Domain.com -DistinguishedName

 

It will sync password hash of a single user object to AAD.
If it fails, it is because the flag "user must change password at next logon" is set, re move it and you can sync instantly.

@Micki Wulffeld This is now supported.

Public Preview of synchronizing temporary passwords and "Force Password on Next Logon

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...

Brass Contributor

Thanks, and i have seen it but it is in preview / beta ( not for production enviroment). So we are waiting for the GA. 

Do you know any ETA on GA?

@Micki Wulffeld Public Preview is fully supported and can be implemented for production and cannot be compared to the traditional beta programs which are not released for production use. But if there is a business restriction in taking up something in public preview, we completely understand. Most of our public preview's go into  GA within 12 months of public preview.

Brass Contributor

Jithesh Raj (JR)

Generally we dont implement preview features i production, because many of them are (understanderbly) not fully ready.

Take for example https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout
There are some unsupported senarios, and athat is fully understandable.

 

I personally thinks it is a good strategy to develop / release fast with the preview feature.

 

I also found this https://docs.microsoft.com/en-us/power-platform/admin/what-are-preview-features-how-do-i-enable-them

I know i does not relate directly to all preview features, but above link is my understanding of public preview.

 

So maybe you can put is this way, Private preview is Beta, Public preview is RC?

 

That last part is about right. But I am a little surprised that you are open to use a cmdlet you mentioned above which is not documented (not supported) but hesitant to use public preview that the product group is saying can be used in production. Public previews have a few caveats and when we say somethings are not supported, it might stay that way even when we go GA due to the fact that the feature was not built to support those methods. You will find unsupported methods in features which are in GA as well so that may not be a great example to define public previews.

 

Brass Contributor

I think the key word here is "Product Group".

I accept when you say Public Preview of synchronizing temporary passwords and "Force Password on Next Logon is Supported.

 

But generally you can not say that, and therefore i can not answer to my organisation by implementing preview features in production.
I have for example experienced preview of outlook online, did not comply with GAL segmentation, and therefore did not comply with company policy.
And that might had been a bug / not yet developed.

@Micki Wulffeld I agree with you. It is important to know if the previews are signed off for production use or not. In some cases we also explicitly call this out in our docs as well. If you need any support on the Staged Rollout feature, please let me know.

Copper Contributor

There is a typo in step3 (or in step 7 & 8)

$aadConnector = "<insert AzureAD connector name here>"

should be:
$azureadConnector = "<insert AzureAD connector name here>"

Co-Authors
Version history
Last update:
‎May 04 2021 07:21 AM
Updated by: