How to: Force Password Synchronization between an onPremise Active Directory and Microsoft Online Services / Windows Azure AD

How to: Force Password Synchronization between an onPremise Active Directory and Microsoft Online Services / Windows Azure AD

One of the big issues I have come across while deploying a hybrid infrastructure using Microsoft Online Services is that the Directory Sync tool DirSync.exe has not been able to update my users’ passwords on the cloud. Now, after reading much online I gathered that the old version of the directory sync tool did not have this capability (You needed to use Active Directory Federation Services) and that the new one which I have installed that was released middle of this year does. Further reading also reveled that a user has to initiate the password change onPremise for the tool to pick up the change. Now, I would imagine an Admin doing a password change/reset from the AD Users and Computers would have the same effect but that did not work for me. Perhaps even a user initiated password change would not have worked but I did’t have the patience to try that. So finally I found a couple of articles which zeroed in into a solution: Force the tool to sync all passwords instead of trying to do it selectively. Now, on the bright side this means your password are always synced. On the downside, every sync you are updating the credentials on the cloud which perhaps exposes you to security risks years down the road if someone breaks the encryption key through which you were transmitting the passwords… so pray your users have new passwords in 20/40 or so years I guess. Obviously you were going to transmit the password sooner or later so might as well give in.

In order to perform a full sync of user passwords you need to do the following:

1. Make sure you have the latest Windows Azure Active Directory Sync tool
2. Open the Registry Editor (Regedit)
3. Browse to:
   • HKEY_LOCAL_MACHINE
• SOFTWARE
• Microsoft
• MSOLCoExistence
• PasswordSync.
4. Change the FullSyncRequired registry value to 1.
5. Go to Services
6. Restart the Forefront Identity Manager Synchronization Service. This will also restart the Windows Azure Active Directory Sync Service.
7. Once done, you will notice logs with Event IDs 656 which are the “Password Change Request” events  and 657 which are the “Password Change Result” events.

Now, once this sync is done the registry key will be reverted back to 0 and unfortunately you might be stuck back at square 1. Theoretically when a user changes its password the tool will take care of it but if you are experiencing issues you can apply this workaround again.