Force password sync with Azure AD Connect

We did migrate from ADFS to Password Hash Synchronization (PHS). The password sync time interval in AD Connect is 2 minutes. You may need to force password sync with Azure AD Connect. In this article, you will learn how to force password sync with Azure AD Connect.

Table of contents

Introduction

Make sure that you have Azure AD Connect installed before you proceed further. If you want to force sync Azure AD Connect, read more in Force sync Azure AD Connect with PowerShell.

Get AD sync connector

First, we need to know the local AD and Azure AD connector names. After that, we can use both the names in the script. Sign in to the Azure AD Connect server and run Windows PowerShell. Run Get-ADSyncConnector cmdlet to retrieve the AD sync connector.

PS C:\> Get-ADSyncConnector | Select Type,Name

Type        Name
----        ----
Extensible2 exoip365.onmicrosoft.com - AAD
AD          exoip.local

In the next step, we will add both connector names to the script.

Trigger full sync of all passwords

Copy and paste the below script in PowerShell ISE. Next, add the local AD and Azure AD connector names to the script. After that, run the script to trigger a full sync of all passwords.

# Assign the local AD and Azure AD connectors value and remember it's case sensitive
$adConnector  = "exoip.local"
$aadConnector = "exoip365.onmicrosoft.com - AAD"

# Import AzureAD Sync module
Import-Module ADSync

# Create a new ForceFullPasswordSync configuration parameter object
$c = Get-ADSyncConnector -Name $adConnector

# Update the existing connector with the following new configuration
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c

# Disable Azure AD Connect
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

# Re-enable Azure AD Connect to force a full password synchronization
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

After you run the above script, it will show the output.

True
Password Hash Sync Configuration for source "exoip.local" updated.
Password Hash Sync Configuration for source "exoip.local" updated.

Password Hash Synchronization status

Run Invoke-ADSyncDiagnostics -PasswordSync to check that Password Hash Synchronization is enabled and synced.

PS C:\> Invoke-ADSyncDiagnostics -PasswordSync


========================================================================
=                                                                      =
=            Password Hash Synchronization General Diagnostics         =
=                                                                      =
========================================================================


AAD Tenant - exoip365.onmicrosoft.com
Password Hash Synchronization cloud configuration is enabled




False


AD Connector - exoip.local
Password Hash Synchronization is enabled
Latest Password Hash Synchronization heartbeat is detected at: 06/19/2021 17:32:56 UTC


	Directory Partitions:
	=====================
	Directory Partition - exoip.local
False
False
False
	Last successful attempt to synchronize passwords from this directory partition started at: 6/19/2021 5:56:57 PM UTC and ended at: 6/19/2021 5:56:57 PM UTC

	Only Use Preferred Domain Controllers: False
	Checking connectivity to the domain...
	Domain "exoip.local" is reachable

Give it five or ten minutes before you sign in Microsoft 365 admin center. Check under Azure AD Connect that Password sync shows as recent synchronization.

Force password sync Azure AD Connect recent sychronization

That’s it!

Read more: Move Azure AD Connect to new tenant »

Conclusion

In this article, you learned how to force password sync with Azure AD Connect. Use the PowerShell script to force sync all passwords. After that, check the password synchronization in Microsoft 365 admin center. Another way to verify is through PowerShell.

Did you enjoy this article? You may also like the article Conditional Access MFA breaks Azure AD Connect synchronization. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 6 Comments

  2. What if you have a multidomain sync?
    Something like this?

    $adConnector1 = “domain1.com”
    $adConnector2 = “domain2.com”
    $aadConnector = “domain.onmicrosoft.com – AAD”

    Reply

  4. Hey Ali,
    Fantastic job with this. Microsoft documentation on this subject is utterly useless. Thank you for putting this together!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *