PowerShell Basics: How to Force a Full Password Sync in AzureAD Connect

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Before starting this post, the team would like to thank all the contributions shared by the PowerShell community found on Reddit for their support on exploring PowerShell automation capabilities.  The outpouring of suggestions and sharing of scripts was awesome and has resulted in another question asked for us as a community to address.

 

After reading the previous PowerShell Basics article, some from the ITPRO community have reached out inquiring how to force the sync of only passwords and not the entire contents of Active Directory.  It appears the ask comes in light of troubleshooting Office 365 password sync issues.  This post will focus on steps to address this via PowerShell.
 
Lets begin.

 

  1. Run PowerShell
     
    How_to_Force_a_Full_Password_Sync_in_AzureAD_Connect_001.pngRun PowerShell Force AzureAD Password Sync
     
  2. Assign the local Active Directory $adConnector value and remember it is case sensitive: 
      
    $adConnector = "<insert local connector name here>"
  3. Assign the AzureAD $aadConnector value and remember it is case sensitive: 
      
    $aadConnector = "<insert AzureAD connector name here>"
     
  4. Install the AzureAD Sync module:
      
    Import-Module ADSync

     

  5. Create a new ForceFullPasswordSync configuration parameter object
      
    $c = Get-ADSyncConnector -Name $adConnector
     
  6. Update the existing connector with the following new configuration. Remember to enter each line separately: 
      
    $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
    $c.GlobalParameters.Remove($p.Name)
    $c.GlobalParameters.Add($p)
    $c = Add-ADSyncConnector -Connector $c
     
  7. Disable Azure AD Connect:
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
     
  8. Re-enable Azure AD Connect to force a full password synchronization:
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true

Synchronization of legacy password hashes to Azure AD may take some time and depend on directory size in terms of number of accounts and groups. Once completed, the passwords are synchronized to the to Azure AD followed by syncing to the Azure AD DS managed domain.

 

Microsoft also provides a great document entitled Troubleshoot password hash synchronization with Azure AD Connect sync which details additional tactics to address possible sync issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.