How to troubleshoot password synchronization when using Microsoft Entra Connect

This article helps you troubleshoot common issues that you may encounter when you synchronize passwords from the on-premises environment to Microsoft Entra ID by using Microsoft Entra Connect.

Before you perform the troubleshooting steps, make sure that you have the latest version of Microsoft Entra Connect installed.

Additionally, make sure that directory synchronization is in a healthy state. For more information, see Troubleshoot object synchronization with Microsoft Entra Connect Sync.

In this scenario, passwords of most users appear to be syncing. However, there are some users whose passwords appear not to sync. The following are scenarios in which a user can't sign in to a Microsoft cloud service, such as Microsoft 365, Entra, or Intune.

To resolve this issue, follow these steps:

1. Take one of the following actions:

   • In the user account properties in Active Directory Users and Computers, clear the User must change password at next logon check box.
   • Have the user change their on-premises user account password.
   • Enable the ForcePasswordChangeOnLogOn feature in Microsoft Entra ID.

2. Wait a few minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID.

To resolve this issue, follow these steps:

1. Have the user change their on-premises user account password.
2. Wait a few minutes for the change to sync between the on-premises AD DS and Microsoft Entra ID.

To change the password in the cloud service and have Microsoft Entra Connect update the respective on-premises user account password, enable Password Writeback.

Possible causes are duplicate user names or email addresses.

To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in the on-premises AD DS. You can install IdFix at the following Microsoft website: IdFix DirSync Error Remediation Tool

For more info about how to troubleshoot this issue, see One or more objects don't sync when using the Azure Active Directory Sync tool

In this scenario, the user is moved to a scope that now allows the user to be synced. It could be when filtering is set up for domains, organizational units, or attributes.

To resolve this issue, see the How to perform an initial sync section.

In this scenario, you're using Microsoft Entra Connect together with password synchronization. After you disable directory synchronization or password synchronization, users can't sign in by using a new password. However, their old password still works.

To resolve this issue, re-enable directory synchronization and password synchronization. To do it, start Microsoft Entra Connect configuration wizard, select Configure and Customize synchronization options, then continue through the screens until you see the option to enable password synchronization.

In this scenario, the password hash doesn't successfully sync to Microsoft Entra ID. If the user account was created in on-premises AD DS on a version of Windows Server earlier than Windows Server 2003, the account doesn't have a password hash.

In this scenario, passwords of all users appear not to sync. It usually occurs if one of the following conditions is true:

• The check box to Start the synchronization process when configuration completes, wasn't selected.

• Entra Connect server is in Staging mode.

• Password synchronization is disabled.

• A full directory sync hasn't yet completed.

Microsoft Documentation: https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/troubleshoot-pwd-sync