Stellark Home » How to Re-Sync a user’s Domain Password after it was reset in Office365

How to Re-Sync a user’s Domain Password after it was reset in Office365

 

Scenario:

Directory Synchronization is occurring between On-premises AD and Office365 (WITHOUT password write-back enabled).  A “synced” users password was reset in the Office365 portal (for any number of Administrative or user related reasons)  Now the “synced” user does not have a synced Domain password.  What to do?  MS Cloud Services support told me not to worry as that users password will be overwritten by AADSync…..

This sounds like it should be simple enough right? 

Well I was skeptical so I set about testing this process to see if it would in fact work and overwrite the users newly reset password with the correct AD password.

 

Methods that I tested

First and foremost I reset the “synced” users password and logged into the portal to verify the password change. 

  • I figured Keep it Stupid Simple and set out to run the Scheduled Task that is created for AADSync.  Just for fun I monitored the outcome in miisclient.  There was NO detected changes or updates.  I tried logging in as the user with their Domain password just to check and as expected it failed but still worked with the recently changed portal password.
  • Then I decided to force an update using the DirectorySyncClientCmd.exe with the initial switch.  Again I tried to login to the portal with the users Domain password and again it failed but still worked with the recently changed portal password.

image

 

So…back to MicroSoft Cloud Services support to inquire since they had guaranteed me that they had successfully been able to Re-sync the users Domain password in their test labs.  I explained to support the tests I had performed and the un-successful outcomes.  I then received an email suggesting that I use the provided PowerShell script to force the on premises password to overwrite the users password in the cloud.

Hmmm…. I was told it would “simply” be overwritten…not so much it seems.

So I ran the script and voila!  I could now log into the portal as the user with their Domain password.

Here is the script you will need to run should you or any one of your Office365 Global Admins decide to reset users password in the cloud.

$adConnector  = “yourdomain.com”
$aadConnector = “yourdomain.com – AAD”
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

3 responses to “How to Re-Sync a user’s Domain Password after it was reset in Office365

  1. I’m getting an error trying to run this “Set-ADSyncAADPasswordSyncConfiguration : Export MA Error: Unable to locate the MA: domain.com – AAD

    – the “domain.com” portion I changed to my real domain when I ran it for real”

  2. Please run the MIIS client and click on Connectors and you’ll see the name of your both connectors.

  3. Thanks for this script worked a treat!

    I also experienced the error, with both connectors having the correct names:

    Export MA Error: Unable to locate the MA: domain.com – AAD

    To resolve I performed the below:

    1) Save as Sync.PS1

    2) Launch PowerShell ISE

    3) Allow remote scripts to be run

    Set-ExecutionPolicy RemoteSigned

    4) Run script sync.PS1

    C:\WindowsAzure\sync.ps1

    Results:

    True
    Password Hash Sync Configuration for source “wyg.com” updated.
    Password Hash Sync Configuration for source “wyg.com” updated.

Comments are closed.