Windows 2012 R2, fully updated/activated
Roles: ADDS, ADFS
Installed Azure AD Connect latest version (only software installed other than updates)
Other applicable services: Office 365 (Business Premium licensing), Azure AD Premium
Having a problem with password writeback. I am able to reset a user password on the local AD and have the changes reflected in Azure AD and Office 365, however when I reset a user password on Office 365, changes are not applied elsewhere.
I am using the built-in Administrator account as the ADMA in this instance and applied the appropriate permissions:
*Reset Password
*Change Password
*Write lockoutTime
*Write pwdLastSet
Azure AD service account being used is set to Global Administrator and Azure AD Connect verifies credentials successfully.
Noteworthy to mention the coveted 31005 event ID has not appeared in the Windows Application event logs since initial deployment of Azure AD Connect.
Event log errors that may be applicable to this issue:
Event ID: 0 Source: Directory Synchronization — "An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. SetCredential() failed. Contact Technical Support. (0x8009000B)"
Event ID: 109 Source: Directory Synchronization — "Failure while prefetching import data."
Event ID: 6801 Source: ADSync — "The extensible extension returned an unsupported error.
The stack trace is:
"Microsoft.Online.Coexistence.ProvisionException: An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. —> Microsoft.Online.Coexistence.Security.WindowsLiveException: SetCredential() failed. Contact Technical Support.
at Microsoft.Online.Coexistence.Security.LiveIdentityManager.OpenIdentity(String federationProviderId, String userName, String password)
at Microsoft.Online.Coexistence.ProvisionHelper.GetLiveCompactToken(String userName, String userPassword)
— End of inner exception stack trace —
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.GetNextBatch()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep)
Azure AD Sync 1.0.8667.0"
Event ID: 6803 Source: ADSync — "The management agent "domain.com – AAD" failed on run profile "Delta Import" because the server encountered errors"
Any help would be great. I'm sure someone will let me know if I left anything necessary out.
Best Answer
I'll be honest, I would not spend too much troubleshooting your issue there. I would document your accounts and settings, uninstall and reinstall the latest Azure AD Connect deployment. Make sure you let it uninstall everything (MSOL Sign in assistance, MSOL PowerShell module, etc.) and restart before doing the new install.
I would not use built in accounts. I would either use the express setup and let it create the accounts, or create dedicated sync accounts on both sides (AD, O365). Make sure when you are installing and configuring this your account is a member of the Enterprise Admins group.