We’ve ran into a problem where end users were reporting a problem that they couldn’t log into https://portal.office.com using their credentials. In addition their smartphones were unable to receive or send email using their Office 365 Exchange email accounts. Initial troubleshooting showed that (Active Directory) passwords were not being synchronized with Office 365.

image

As a band aid solution, one could reset passwords (or actually generate new ones) for accounts affected, but we obviously wanted to correct this issue.

First you want to verify whether you have Password synchronization enabled in the first place. You should determine where you have the Microsoft Azure Active Directory Connect installed and run it.

Select Customize synchronization options then click the Next button

image

You’ll be prompted to enter in your credentials at the next window. Type in your Office 365 Global Admin username and password. Click on the Next button.

image

You can skip the Connect Directories (this should be already configured and no changes are necessary) stage by clicking on the Next button.

image

In our particular example Password hash synchronization was enabled.

We want to start the Windows Azure Active Directory module for Windows PowerShell as an Administrator. In case you don’t have it already installed, you can find deployment and configuration information here and here.

We’ll run the script shown below. This will enable/initiate a full password synchronization.

You’ll need to replace the adConnector and aadConnector values that are appropriate for your environment. If you are unsure what those are you can consult the Active Directory Sync Services tool. It is installed by default at the following location: C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe. Run the application.

Click on the Connectors tab on the ribbon at the top.

image

First line shows the name of the Azure Active Directory connector. You should use that name as the $aadConnector value in the script below.

Line below shows the name of your Active Directory Domain Services connectors. You should use this name as the $adConnector value in the script below.

Import-Module ADSync
$adConnector  = “domain.com
$aadConnector = “domain.onmicrosoft.com – AAD
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Run Windows Azure Active Directory module for Windows PowerShell as the administrator. Connect to Microsoft Online by typing the following:

Connect-msolservice

Authentication prompt will come up. Use your Microsoft Office 365 Admin credentials to authenticate.

Then copy and edit the script above, then paste it into Windows Azure Active Directory module for Windows PowerShell and run it by pressing Enter.

Next, we’ll need to restart the Microsoft Azure AD Sync service.

image

After restarting the service, we’ve noticed a bunch of events with Event ID 657 Source Directory Synchronization in the Event Viewer.

image

image

If you look at these events you’ll see that your Active Directory is successfully synchronizing passwords with Microsoft Office 365 and your users should be able to log in just fine.

%d bloggers like this: