AAD Sync / AAD Connect – Passwords not syncing with attribute filtering

Azure Active Directory error

After the release of AAD Sync and AAD Connect (Azure Active Directory Sync and Azure Active Directory Connect) we have noticed several customers using Attribute Filtering are experiencing an error
when bringing people into the scope of synchronisation with the appropriate attribute.Microsoft describe this here as expected behaviour.

Users are moved between filtered and unfiltered scopes

In this scenario, the user is moved to a scope that now allows the user to be synced. This could be when filtering is set up for domains, organisational units, or attributes.

To resolve this, see the ‘How to perform a full password sync’ section of the ‘More Information‘ section.

Below is steps to set up a script to automate a full password sync to work around this behaviour.

The Script

First you need to save a script that contains the code to run a full password sync. This is as follows:

$adConnector  = “addomain.com”

$aadConnector = “tenantname.onmicrosoft.com – AAD”

 

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

 

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Once you have this saved on your AAD Connect server you can then set up a scheduled task to run every time there is a successful directory synchronisation (Event ID 114).

First you need to know that this isn’t a bug, and is expected behaviour! Once you know this, the solution is an easy fix.

Hopefully with the above instructions you can save your service desk time troubleshooting password issues in your organisation!

If you’have any other Active Directory problems, have a look here – Error installing Exchange – this user account isn’t a member of the schema admins or enterprise admins group 

Book a discovery call advert
Cloud Business logo white
Microsoft Gold Partner Logo - Cloud Business

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

2023 © Cloud Business Limited
Registered Company in England and Wales 06798438