PowerShell command to force password sync between local Active Directory and Office 365
Synchronizing passwords between on-premises Active Directory (AD) and Office 365 or Azure AD has many benefits. Users can use a common identity for login and to access resources across on-premises and cloud environments. It also reduces the burden placed on the help desk due to password reset tickets as users now have only one password to remember.
You can use the PowerShell cmdlets given below to force the synchronization of passwords between local AD and Azure AD. Alternatively, you can use ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, to do the same without having to go through the trouble of writing and maintaining complex PowerShell scripts.
Using PowerShell to sync local AD password to Office 365
- Make sure you’ve installed the Azure AD Connector.
- Run PowerShell.
- Assign the local Active Directory
$adConnector value using the command below:
$adConnector = “<adConnector_name>”
- Assign the AzureAD
$aadConnector value using the command below:
$adConnector = “<aadConnector_name>”
Note: Both adConnector and aadConnector names are case sensitive. You can find the AD and Azure AD Connector names under the Connectors tab in Synchronization Services Manager console.
- Install the AzureAD Sync module using:
- Create a new ForceFullPassword Sync configuration parameter value:
$c = Get-ADSyncConnector -Name $adConnector
- Apply the following new configuration to the existing connector:
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null $p.Value = 1 $c.GlobalParameters.Remove($p.Name) $c.GlobalParameters.Add($p) $c = Add-ADSyncConnector –Connector $cCopied
- Disable AzureAD Connect:
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
- Re-enable AzureAD Connect to force full password synchronization:
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
Using ADSelfService Plus to sync passwords between AD and Office 365 in real time
- Login to ADSelfService Plus with administrator credentials.
- Navigate to Configuration > Self-Service > Password Sync/Single Sign-On.
- Click Add Application and select Office 365.
- In the Office 365 Configuration page, select the Password Synchronizer option and enter the required details such as the Office 365 tenant name and authentication details.
- Select the Self-Service Policies from the drop-down list.
Note: The self-service policies can be configured based on OUs and groups. It determines which users have access to the self-service password reset feature and whose passwords will be synced from on-premises AD to Office 365.
- Click Save.
Apart from being easy to configure, ADSelfService Plus has several advantages when compared to PowerShell scripts.
- Real-time AD to Azure AD password sync:
Any password change or reset operation in on-premises AD is instantly synchronized with Azure AD leaving no room for password mismatch even for seconds.
- Granular enforcement of password sync:
ADSelfService Plus allows you to enable password sync for the entire domain or only for users in specific OUs or groups.
- Self-service password reset:
Apart from password sync, ADSelfService Plus also supports self-service password reset for AD, Office 365 and other cloud applications. Users can reset their AD or Office 365 passwords on their own right from the login screen of their Windows, macOS, or Linux machines, or using the ADSelfservice Plus Android or iOS app.
- Password blacklisting:
The Password Policy Enhancer feature in ADSelfService Plus contains advanced password settings such as dictionary rules, pattern checker, and even includes a Have I Been Pwned? integration, which prevents users from setting weak or breached passwords for their accounts, thus improving security.