Why do users have access to Azure AD administration portal? You only want administrators to…
We did migrate from ADFS to Password Hash Synchronization (PHS). The password sync time interval in AD Connect is 2 minutes. You may need to force password sync with Azure AD Connect. In this article, you will learn how to force password sync with Azure AD Connect.
Table of contents
Get AD sync connector
First, we need to know the local AD and Azure AD connector names. After that, we can use both the names in the script. Sign in to the Azure AD Connect server and run Windows PowerShell. Run Get-ADSyncConnector cmdlet to retrieve the AD sync connector.
PS C:\> Get-ADSyncConnector | Select Type,Name Type Name ---- ---- Extensible2 exoip365.onmicrosoft.com - AAD AD exoip.local
In the next step, we will add both connector names to the script.
Trigger full sync of all passwords
Copy and paste the below script in PowerShell ISE. Next, add the local AD and Azure AD connector names to the script. After that, run the script to trigger a full sync of all passwords.
# Assign the local AD and Azure AD connectors value and remember it's case sensitive $adConnector = "exoip.local" $aadConnector = "exoip365.onmicrosoft.com - AAD" # Import AzureAD Sync module Import-Module ADSync # Create a new ForceFullPasswordSync configuration parameter object $c = Get-ADSyncConnector -Name $adConnector # Update the existing connector with the following new configuration $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null $p.Value = 1 $c.GlobalParameters.Remove($p.Name) $c.GlobalParameters.Add($p) $c = Add-ADSyncConnector -Connector $c # Disable Azure AD Connect Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false # Re-enable Azure AD Connect to force a full password synchronization Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
After you run the above script, it will show the output.
True Password Hash Sync Configuration for source "exoip.local" updated. Password Hash Sync Configuration for source "exoip.local" updated.
Password Hash Synchronization status
Run Invoke-ADSyncDiagnostics -PasswordSync to check that Password Hash Synchronization is enabled and synced.
PS C:\> Invoke-ADSyncDiagnostics -PasswordSync ======================================================================== = = = Password Hash Synchronization General Diagnostics = = = ======================================================================== AAD Tenant - exoip365.onmicrosoft.com Password Hash Synchronization cloud configuration is enabled False AD Connector - exoip.local Password Hash Synchronization is enabled Latest Password Hash Synchronization heartbeat is detected at: 06/19/2021 17:32:56 UTC Directory Partitions: ===================== Directory Partition - exoip.local False False False Last successful attempt to synchronize passwords from this directory partition started at: 6/19/2021 5:56:57 PM UTC and ended at: 6/19/2021 5:56:57 PM UTC Only Use Preferred Domain Controllers: False Checking connectivity to the domain... Domain "exoip.local" is reachable
Give it five or ten minutes before you sign in Microsoft 365 admin center. Check under Azure AD Connect that Password sync shows as recent synchronization.
Read more: Move Azure AD Connect to new tenant »
In this article, you learned how to force password sync with Azure AD Connect. Use the PowerShell script to force sync all passwords. After that, check the password synchronization in Microsoft 365 admin center. Another way to verify is through PowerShell.
Did you enjoy this article? You may also like the article Conditional Access MFA breaks Azure AD Connect synchronization. Don’t forget to follow us and share this article.