Note: This article was originally published in 2013. Some steps, commands, or software versions may have changed. Check the current Microsoft Online documentation for the latest information.

In this step-by-step guide, you’ll learn force password synchronization between an onpremise active directory and microsoft online services / windows azure ad.

How to: Force (http://en.wikipedia.org/wiki/Password_synchronization “Password synchronization”) between an onPremise Active Directory and (http://www.microsoft.com “Microsoft”) Online Services / (http://www.microsoft.com/WINDOWS “Windows”) Azure AD

One of the big issues I have come across while deploying a hybrid infrastructure using Microsoft Online Services is that the Directory Sync tool DirSync.exe has not been able to update my users’ (http://en.wikipedia.org/wiki/Password “Password”) on (http://en.wikipedia.org/wiki/Cloud_computing “Cloud computing”). Now, after reading much online I gathered that the old version of the directory sync tool did not have this capability (You needed to use (http://en.wikipedia.org/wiki/Active_Directory_Federation_Services “Active Directory Federation Services”)) and that the new one which I have installed that was released middle of this year does. Further reading also reveled that a user has to initiate the password change onPremise for the tool to pick up the change. Now, I would imagine an Admin doing a password change/reset from the AD Users and Computers would have the same effect but that did not work for me. Perhaps even a user initiated password change would not have worked but I did’t have the patience to try that. So finally I found a couple of articles which zeroed in into a solution: Force the tool to sync all passwords instead of trying to do it selectively. Now, on the bright side this means your password are always synced. On the downside, every sync you are updating the credentials on the cloud which perhaps exposes you to security risks years down the road if someone breaks the (http://en.wikipedia.org/wiki/Key_%28cryptography%29 “Key (cryptography)”) through which you were transmitting the passwords… so pray your users have new passwords in 20/40 or so years I guess. Obviously you were going to transmit the password sooner or later so might as well give in.

In order to perform a full sync of user passwords you need to do the following:

  1. Make sure you have the latest Windows Azure Active Directory Sync tool
  2. Open the (http://en.wikipedia.org/wiki/Windows_Registry “Windows Registry”) (Regedit)
  3. Browse to:
    • HKEY_LOCAL_MACHINE
      • SOFTWARE
        • Microsoft
          • MSOLCoExistence
            • PasswordSync.
  4. Change the FullSyncRequired registry value to 1.
  5. Go to Services
  6. Restart the Forefront Identity Manager Synchronization Service. This will also restart the Windows Azure Active Directory Sync Service.
  7. Once done, you will notice logs with Event IDs 656 which are the “Password Change Request” events and 657 which are the “Password Change Result” events.

Now, once this sync is done the registry key will be reverted back to 0 and unfortunately you might be stuck back at square 1. Theoretically when a user changes its password the tool will take care of it but if you are experiencing issues you can apply this workaround again.

Summary

You’ve successfully learned force password synchronization between an onpremise active directory and microsoft online services / windows azure ad. If you run into any issues, double-check the prerequisites and ensure your Microsoft Online environment is properly configured.