You are currently offline, waiting for your internet to reconnect

How to troubleshoot password synchronization when using an Azure AD sync appliance

INTRODUCTION
This article contains information to help you troubleshoot common issues that you may encounter when you synchronize passwords from the on-premises environment to Azure Active Directory (Azure AD) by using an Azure AD sync appliance. It covers the following topics:

Before you start troubleshooting

Before you perform the troubleshooting steps in this article, make sure that you have the latest version of Azure AD Connect installed. 

Note All other Azure AD Sync appliances are being deprecated. Therefore, if you're using another appliance, install Azure AD Connect.

Additionally, make sure that directory synchronization is in a healthy state. To help you with this, run the Troubleshooting Directory Synchronization tool. To run the troubleshooter tool, on the server on which the Azure AD sync appliance is installed, open Internet Explorer, browse to http://aka.ms/hrcsync, and then follow the steps on the screen.

Troubleshoot password synchronization

Some users can't sign in to Office 365, Azure, or Microsoft Intune

In this scenario, passwords of most users appear to be syncing. However, there are some users whose passwords appear not to sync. The following are scenarios in which a user cannot sign in to a Microsoft cloud service such as Office 365, Azure, or Intune. They include information about how to troubleshoot each scenario.
Scenario 1: The "User must change password at next logon" check box is selected for the user's account
To resolve this issue, follow these steps:
  1. Do one of the following:
    • In the user account properties in Active Directory Users and Computers, clear the User must change password at next logon check box.
    • Have the user change their on-premises user account password.
  2. Wait a few minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and Azure AD.
Scenario 2: The user changed their password in the cloud service portal
To resolve this issue, follow these steps:
  1. Have the user change their on-premises user account password.
  2. Wait a few minutes for the change to sync between the on-premises AD DS and Azure AD. 
Scenario 3: Some users do not appear to be syncing to Azure AD
Possible causes of this issue are duplicate user names or email addresses.

To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in the on-premises AD DS. You can install IdFix at the following Microsoft website:For more info about how to troubleshoot this issue, see the following Microsoft Knowledge Base article:
2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
Scenario 4: Users are moved between filtered and unfiltered scopes
In this scenario, the user is moved to a scope that now allows the user to be synced. This could be when filtering is set up for domains, organizational units, or attributes.

To resolve this, see the How to perform a full password sync section of the More Information section.

Scenario 5: Users can't sign in by using a new password but they can sign in by using their old password
In this scenario, you're using the Azure AD Sync Service together with password synchronization. After you disable and then re-enable directory synchronization, users can't sign in by using a new password. However, their old password still works.

To resolve this issue, re-enable password synchronization. To do this, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization. 

Scenario 6: Users can't sign in by using their password
In this scenario, the password hash doesn't successfully sync to the Azure AD Sync Service. If the user account was created in Active Directory running on a version of Windows Server earlier than Windows Server 2003, the account doesn't have a password hash. 

Directory synchronization is running but passwords of all users aren't synced

In this scenario, passwords of all users appear not to sync. 

This usually occurs if one of the following conditions is true:
  • The Synchronize now check box was not selected.
  • You enabled password synchronization after directory sync already occurred.
  • A full directory sync has not yet completed.
Important Password sync will not start until a full directory sync has completed.

To resolve this issue, first make sure that you enable password synchronization. To do this, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.

After password synchronization is enabled, you have to perform a full password sync. See the How to perform a full password sync section of the More Information section.

You're changing from a single-sign on (SSO) solution to password synchronization

To resolve this issue, see the following Microsoft TechNet wiki article:

Event ID messages in Event Viewer

The following tables list event ID messages in the Application log that are related to password synchronization.
Informational (no action required)
Event IDDescriptionCause
650Provision credentials batch start. Count: 1Password synchronization starts retrieving updated passwords from the on-premises AD DS.
651Provision credentials batch end. Count: 1Password synchronization finishes retrieving updated passwords from the on-premises AD DS.
653Provision credentials ping start.Password synchronization starts informing Azure AD that there are no passwords to be synced. This occurs every 30 minutes if no passwords have been updated in the on-premises AD DS.
654Provision credentials ping end.Password synchronization finishes informing Azure AD that there are no passwords to be synced. This occurs every 30 minutes if no passwords were updated in the on-premises AD DS.
656Password Change Request - Anchor : H552hI9GwEykZwof74JeOQ==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08Password synchronization indicates that a password change was detected and tries to sync it to Azure AD. This identifies the user or users whose password changed and will be synced. Each batch contains at least one user and at most 50 users.
657Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success.Users whose password successfully synced.
657Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Failed.Users whose password didn't sync.
Informational (may require action)
Event IDDescriptionCauseMore information
0The following password changes failed to synchronized and have scheduled for retry.

DN = CN=Eli McLean,OU=Cloud Objects,DC=contoso,DC=local
User or users whose password wasn't synced
115Access to Windows Azure Active Directory has been denied. Contact Technical Support. Azure AD credentials were updated through Forefront Identity Manager (FIM).Run the Azure AD Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
657Password Change Result - Anchor : B0H+OD3LM0GEnYODwdPhpg==, Result : failed, Extended Error : User or users whose password wasn't synced
Error (action required)
Event IDDescriptionCauseMore information
0The user name or password is incorrect. Verify your user name, and then type your password again. Azure AD credentials were updated through Forefront Identity Manager (FIM).Run the Azure AD Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
611Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges.
Windows Server 2003 domain controllers handle certain scenarios unexpectedly. 2867278 Password hash synchronization for Azure AD stops working and Event ID 611 is logged
611Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
611Password synchronization failed for domain: Contoso.com
System.ArgumentOutOfRangeException: Not a valid Win32
This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
611Password synchronization failed for domain: Contoso.com.
System.ArgumentException: An item with the same key has already been added.
This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
652Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 07e93e8a-cf2d-4f67-9e95-53169c4875e0 Server Name: BL2GR1BBA003. ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault).Password synchronization failed when retrieving updated passwords from the on-premises AD DS.
652Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionRetryException: An error occurred. Error Code: 81. Error Description: Windows Azure Active Directory is currently busy. This operation will be retried automatically.This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
655Failed credential provisioning ping. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 0744fa31-1d9b-453a-83d8-c2555d843802 Server Name: BL2GR1BBA005. ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault).Password synchronization failed to inform Azure AD that there are no passwords to be synced. This occurs every 30 minutes.
655The user name or password is incorrect. Verify your user name, and then type your password again.Azure AD credentials were updated through FIM.Run the Azure AD Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
6900The server encountered an unexpected error while processing a password change notification:

"The user name or password is incorrect. Verify your user name, and then type your password again.
Azure AD credentials were updated through FIM.Run the Azure AD Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
6900The server encountered an unexpected error while processing a password change notification:

"An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company
Password sync isn't enabled for the organization.See the following Microsoft Knowledge Base article:

2848640 User passwords aren't synced, and "Password Synchronization has not been activated for this company" error is logged in Event Viewer
MORE INFORMATION

How to perform a full password sync

To perform a full password sync, follow these steps, as appropriate for the Azure AD sync appliance that you're using.

If you're using the Azure Active Directory Sync tool

  1. On the server where the tool is installed, open PowerShell, and then run the following command:
    Import-Module DirSync
  2. Run the following commands:
    1. Set-FullPasswordSync
    2. Restart-Service FIMSynchronizationService -Force

If you're using the Azure AD Sync Service or Azure AD Connect

Go to the following Microsoft website and run the script that's on the page: Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 2855271 - Last Review: 06/01/2016 18:49:00 - Revision: 23.0

Microsoft Azure Cloud Services, Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management

  • o365 o365a o365e o365m o365022013 hybrid KB2855271
Feedback
/JavaScript" async=""> var varAutoFirePV = 1; var varClickTracking = 1; var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write("