How to troubleshoot password synchronization when using an Azure AD sync appliance

This article helps you troubleshoot common issues that you may encounter when you synchronize passwords from the on-premises environment to Microsoft Entra ID by using Microsoft Entra Connect.

Original product version:   Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number:   2855271

Note

Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.

Before you start troubleshooting

Before you perform the troubleshooting steps, make sure that you have the latest version of Microsoft Entra Connect installed.

Additionally, make sure that directory synchronization is in a healthy state. For more information, see Troubleshoot object synchronization with Microsoft Entra Connect Sync.

Some users can't sign in to Office 365, Azure, or Microsoft Intune

In this scenario, passwords of most users appear to be syncing. However, there are some users whose passwords appear not to sync. The following are scenarios in which a user can't sign in to a Microsoft cloud service, such as Office 365, Azure, or Intune.

Scenario 1: The "User must change password at next logon" check box is selected for the user's account

To resolve this issue, follow these steps:

  1. Take one of the following actions:
    • In the user account properties in Active Directory Users and Computers, clear the User must change password at next logon check box.
    • Have the user change their on-premises user account password.
    • Enable the ForcePasswordChangeOnLogOn feature on the Microsoft Entra Connect server.
  2. Wait a few minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID.

Scenario 2: The user changed their password in the cloud service portal

To resolve this issue, follow these steps:

  1. Have the user change their on-premises user account password.
  2. Wait a few minutes for the change to sync between the on-premises AD DS and Microsoft Entra ID.

Scenario 3: Some users don't appear to be syncing to Microsoft Entra ID

Possible causes are duplicate user names or email addresses.

To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in the on-premises AD DS. You can install IdFix at the following Microsoft website: IdFix DirSync Error Remediation Tool

For more info about how to troubleshoot this issue, see One or more objects don't sync when using the Azure Active Directory Sync tool

Scenario 4: Users are moved between filtered and unfiltered scopes

In this scenario, the user is moved to a scope that now allows the user to be synced. It could be when filtering is set up for domains, organizational units, or attributes.

To resolve this issue, see the How to perform a full password sync section.

Scenario 5: Users can't sign in by using a new password but they can sign in by using their old password

In this scenario, you're using the Azure AD Sync Service together with password synchronization. After you disable and then re-enable directory synchronization, users can't sign in by using a new password. However, their old password still works.

To resolve this issue, re-enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.

Scenario 6: Users can't sign in by using their password

In this scenario, the password hash doesn't successfully sync to the Azure AD Sync Service. If the user account was created in Active Directory running on a version of Windows Server earlier than Windows Server 2003, the account doesn't have a password hash.

Directory synchronization is running but passwords of all users aren't synced

In this scenario, passwords of all users appear not to sync. It usually occurs if one of the following conditions is true:

  • The Synchronize now check box wasn't selected.
  • You enabled password synchronization after directory sync already occurred.
  • A full directory sync hasn't yet completed.

Important

Password sync will not start until a full directory sync has completed.

To resolve this issue, first make sure that you enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.

After password synchronization is enabled, you must do a full password sync. See How to perform a full password sync section.

For more information, see Troubleshoot password hash synchronization with Microsoft Entra Connect Sync.

Troubleshoot one user whose password isn't synced

To troubleshoot this issue, see Troubleshoot password hash synchronization with Microsoft Entra Connect Sync

You're changing from a single-sign on (SSO) solution to password synchronization

To resolve this issue, see How to switch from Single Sign-On to Password Sync.

Event ID messages in Event Viewer

The following tables list event ID messages in the Application log that are related to password synchronization.

Informational (no action required)

Event ID Description Cause
622 Full password hash synchronization completed for domain: contoso.local Full password synchronization cycle finishes retrieving the recent passwords from the on-premises AD DS domain.
623 Full password hash synchronization completed for forest: contoso.local Full password synchronization cycle finishes retrieving the recent passwords from the on-premises AD DS forest.
650 Provision credentials batch start. Count: 1 Password synchronization starts retrieving updated passwords from the on-premises AD DS.
651 Provision credentials batch end. Count: 1 Password synchronization finishes retrieving updated passwords from the on-premises AD DS.
653 Provision credentials ping start. Password synchronization starts informing Microsoft Entra ID that there are no passwords to be synced. It occurs every 30 minutes if no passwords have been updated in the on-premises AD DS.
654 Provision credentials ping end. Password synchronization finishes informing Microsoft Entra ID that there are no passwords to be synced. It occurs every 30 minutes if no passwords were updated in the on-premises AD DS.
656 Password Change Request - Anchor : H552hI9GwEykZwosf74JeOQ==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08 Password synchronization indicates that a password change was detected and tries to sync it to Microsoft Entra ID. It identifies the user or users whose password changed and will be synced. Each batch contains at least one user and at most 50 users.
657 Password Change Result - Anchor : eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success. Users whose password successfully synced.
657 Password Change Result - Anchor : eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Failed. Users whose password didn't sync.

Informational (may require action)

Event ID Description Cause More information
0 The following password changes failed to synchronized and have scheduled for retry.

DN = CN=Eli McLean,OU=Cloud Objects,DC=contoso,DC=local
User or users whose password wasn't synced Configure directory synchronization

One or more objects don't sync when using the Azure Active Directory Sync tool
115 Access to Windows Azure Active Directory has been denied. Contact Technical Support. Microsoft Entra credentials were updated through Forefront Identity Manager (FIM). Run the Microsoft Entra Configuration Wizard again. See Password hash synchronization stops working after you update Microsoft Entra credentials in FIM
657 Password Change Result - Anchor : B0H+OD3LM0GEnYODwdPhpg==, Result : failed, Extended Error : User or users whose password wasn't synced Configure directory synchronization

One or more objects don't sync when using the Azure Active Directory Sync tool

Error (action required)

Event ID Description Cause More information
0 The user name or password is incorrect. Verify your user name, and then type your password again. Microsoft Entra credentials were updated through Forefront Identity Manager (FIM). Run the Microsoft Entra Configuration Wizard again. See Password hash synchronization stops working after you update Microsoft Entra credentials in FIM
611 Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges.
Windows Server 2003 domain controllers handle certain scenarios unexpectedly. Password hash synchronization for Microsoft Entra ID stops working and Event ID 611 is logged
611 Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
611 Password synchronization failed for domain: Contoso.com

System.ArgumentOutOfRangeException: Not a valid Win32
It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
611 Password synchronization failed for domain: Contoso.com.

System.ArgumentException: An item with the same key has already been added.
It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
652 Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 07e93e8a-cf2d-4f67-9e95-53169c4875e0 Server Name: BL2GR1BBA003. ---> System.ServiceModel.FaultException1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault). Password synchronization failed when retrieving updated passwords from the on-premises AD DS. Configure directory synchronization

One or more objects don't sync when using the Azure Active Directory Sync tool
652 Failed credential provisioning batch. Error: Microsoft.Online.Coexistence. ProvisionRetryException : An error occurred. Error Code: 81. Error Description: Windows Azure Active Directory is currently busy. This operation will be retried automatically. It was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807 To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
655 Failed credential provisioning ping. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 0744fa31-1d9b-453a-83d8-c2555d843802 Server Name: BL2GR1BBA005. ---> System.ServiceModel.FaultException1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault). Password synchronization failed to inform Microsoft Entra ID that there are no passwords to be synced. It occurs every 30 minutes. Configure directory synchronization

One or more objects don't sync when using Azure Active Directory Sync tool
655 The user name or password is incorrect. Verify your user name, and then type your password again. Microsoft Entra credentials were updated through FIM. Run the Microsoft Entra Configuration Wizard again. See the following Microsoft Knowledge Base article: Password hash synchronization stops working after updating Microsoft Entra credentials in FIM
6900 The server encountered an unexpected error while processing a password change notification:

"The user name or password is incorrect. Verify your user name, and then type your password again.
Microsoft Entra credentials were updated through FIM. Run the Microsoft Entra Configuration Wizard again. See the following Microsoft Knowledge Base article: Password hash synchronization stops working after updating Microsoft Entra credentials in FIM
6900 The server encountered an unexpected error while processing a password change notification:

"An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company
Password sync isn't enabled for the organization. See the following Microsoft Knowledge Base article: User passwords aren't synced, and "Password Synchronization has not been activated for this company" error is logged in Event Viewer

More information

How to perform a full password sync

To do a full password sync, follow these steps, as appropriate for the Azure AD Sync appliance that you're using.

  1. If you're using the Azure Active Directory Sync tool:

    1. On the server where the tool is installed, open PowerShell, and then run the following command:

      Import-Module DirSync
      
    2. Run the following commands:

      Set-FullPasswordSync
      
      Restart-Service FIMSynchronizationService -Force
      
  2. If you're using the Azure AD Sync Service or Microsoft Entra Connect, run the script that's on this page: Azure AD Sync: How to Use PowerShell to Trigger a Full Password Sync

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.