AAD Sync/AAD Connect – Passwords not syncing with attribute filtering

After the release of AAD Sync and now AAD Connect we have noticed several customers using Attribute Filtering are experiencing an error when bringing people into the scope of synchronisation with the appropriate attribute. Microsoft describe this here as expected behaviour.

Users are moved between filtered and unfiltered scopes

In this scenario, the user is moved to a scope that now allows the user to be synced. This could be when filtering is set up for domains, organizational units, or attributes.

To resolve this, see the How to perform a full password sync section of the More Information section.

Below is steps to set up a script to automate a full password sync to work around this behaviour.


The Script

First you need to save a script that contains the code to run a full password sync. This is as follows:

 

$adConnector  = “addomain.com”

$aadConnector = “tenantname.onmicrosoft.com – AAD”

 

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

 

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

 

Once you have this saved on your AAD Connect server you can then set up a scheduled task to run every time there is a successful directory synchronisation (Event ID 114).


The solution is very simple, but first you need to know that this isn’t a bug, and is expected behaviour! Hopefully with the above instructions you can save your service desk time troubleshooting password issues in your organisation!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s