We want to export Azure AD users information to CSV with PowerShell. Why do we…
Force password sync with Azure AD Connect
We did migrate from ADFS to Password Hash Synchronization (PHS). The password sync time interval in AD Connect is 2 minutes. You may need to force password sync with Azure AD Connect. In this article, you will learn how to force password sync with Azure AD Connect.
Table of contents
Introduction
Make sure that you have Azure AD Connect installed before you proceed further. If you want to force sync Azure AD Connect, read more in Force sync Azure AD Connect with PowerShell.
Get AD sync connector
First, we need to know the local AD and Azure AD connector names. After that, we can use both the names in the script. Sign in to the Azure AD Connect server and run Windows PowerShell. Run Get-ADSyncConnector cmdlet to retrieve the AD sync connector.
PS C:\> Get-ADSyncConnector | Select Type,Name
Type Name
---- ----
Extensible2 exoip365.onmicrosoft.com - AAD
AD exoip.local
In the next step, we will add both connector names to the script.
Trigger full sync of all passwords
Copy and paste the below script in PowerShell ISE. Next, add the local AD and Azure AD connector names to the script. After that, run the script to trigger a full sync of all passwords.
# Assign the local AD and Azure AD connectors value and remember it's case sensitive
$adConnector = "exoip.local"
$aadConnector = "exoip365.onmicrosoft.com - AAD"
# Import AzureAD Sync module
Import-Module ADSync
# Create a new ForceFullPasswordSync configuration parameter object
$c = Get-ADSyncConnector -Name $adConnector
# Update the existing connector with the following new configuration
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
# Disable Azure AD Connect
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
# Re-enable Azure AD Connect to force a full password synchronization
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
After you run the above script, it will show the output.
True
Password Hash Sync Configuration for source "exoip.local" updated.
Password Hash Sync Configuration for source "exoip.local" updated.
Password Hash Synchronization status
Run Invoke-ADSyncDiagnostics -PasswordSync to check that Password Hash Synchronization is enabled and synced.
PS C:\> Invoke-ADSyncDiagnostics -PasswordSync
========================================================================
= =
= Password Hash Synchronization General Diagnostics =
= =
========================================================================
AAD Tenant - exoip365.onmicrosoft.com
Password Hash Synchronization cloud configuration is enabled
False
AD Connector - exoip.local
Password Hash Synchronization is enabled
Latest Password Hash Synchronization heartbeat is detected at: 06/19/2021 17:32:56 UTC
Directory Partitions:
=====================
Directory Partition - exoip.local
False
False
False
Last successful attempt to synchronize passwords from this directory partition started at: 6/19/2021 5:56:57 PM UTC and ended at: 6/19/2021 5:56:57 PM UTC
Only Use Preferred Domain Controllers: False
Checking connectivity to the domain...
Domain "exoip.local" is reachable
Give it five or ten minutes before you sign in Microsoft 365 admin center. Check under Azure AD Connect that Password sync shows as recent synchronization.
That’s it!
Read more: Move Azure AD Connect to new tenant »
Conclusion
In this article, you learned how to force password sync with Azure AD Connect. Use the PowerShell script to force sync all passwords. After that, check the password synchronization in Microsoft 365 admin center. Another way to verify is through PowerShell.
Did you enjoy this article? You may also like the article Conditional Access MFA breaks Azure AD Connect synchronization. Don’t forget to follow us and share this article.
Hey Ali,
Do you have an article on how to migrate from ADFS to Password Hash Synchronization (PHS) ?
What if you have a multidomain sync?
Something like this?
$adConnector1 = “domain1.com”
$adConnector2 = “domain2.com”
$aadConnector = “domain.onmicrosoft.com – AAD”
In the case of multiple domains, is this to be done as Bill mentions?
Thank you very much my friend!!!
Hey Ali,
Fantastic job with this. Microsoft documentation on this subject is utterly useless. Thank you for putting this together!
Thanks for bringing all this information together into a ready to run script.