We use a cloud-hosted Office 365 domain for e-mail. Our users are synced from our Server 2008 R2 functional level domain.
Until a fortnight ago we were successfully using DirSync for this synchronisation process. Users and passwords were synced with the cloud and everything worked fine. If a user changed their AD password, the sync would run every 30 minutes and update their e-mail password.
As DirSync is being deprecated, we moved to Azure AD Connect. This has been set up in the same way – pointed at the same OU, password synchronisation enabled.
The synchronisation process appears to run successfully every 30 minutes:
When the system detects a password change, I can see this in the miisclient application:
The problem is… the passwords don't appear to be changing. Everyone who has changed password since we installed Azure AD Connect is still having to use their old password to log in to e-mail.
I have tried:
- Forcing a full synchronisation using the command
Start-ADSyncSyncCycle -PolicyType Initial. The sync runs, and objects are updated, but same issue with passwords still applies - Running a password synchronisation script (which at its core uses the syntax
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.SynchronizationPolicy", String, SynchronizationGlobal, $null, $null, $nullas well as a number of other command lines which I won't paste unless required). Not entirely sure what this did, if anything - Checking event viewer – but no errors at all
Does anyone have any ideas what I'm missing to enable the password synchronisation?
Best Answer
From the screenshot above, you are missing the "Export" task on both the local AD and the AAD.
This is generally the case when "staging" mode is turned on.
See this article for more information.
Try turning off staging mode.