PowerShell command to force password sync between local Active Directory and Office 365
Synchronizing passwords between on-premises Active Directory (AD) and Microsoft 365 (previously Office 365) or Azure AD has many benefits. Users can use a common identity for login and to access resources across on-premises and cloud environments. It also reduces the burden placed on the help desk due to password reset tickets as users now have only one password to remember.
You can use the PowerShell cmdlets given below to force the synchronization of passwords between local AD and Azure AD. Alternatively, you can use ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, to do the same without having to go through the trouble of writing and maintaining complex PowerShell scripts.
PowerShell
Using PowerShell to sync local AD password to Office 365
- Make sure you’ve installed the Azure AD Connector.
- Run PowerShell.
- Assign the local Active Directory
$adConnector value using the command below:$adConnector = “<adConnector_name>”
- Assign the AzureAD
$aadConnector value using the command below:$adConnector = “<aadConnector_name>”
Note: Both adConnector and aadConnector names are case sensitive. You can find the AD and Azure AD Connector names under the Connectors tab in Synchronization Services Manager console.
- Install the AzureAD Sync module using:
Import-Module ADSync
- Create a new ForceFullPassword Sync configuration parameter value:
$c = Get-ADSyncConnector -Name $adConnector
- Apply the following new configuration to the existing connector:
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null $p.Value = 1 $c.GlobalParameters.Remove($p.Name) $c.GlobalParameters.Add($p) $c = Add-ADSyncConnector –Connector $c
Copied - Disable AzureAD Connect:
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
- Re-enable AzureAD Connect to force full password synchronization:
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
ADSelfService Plus
Using ADSelfService Plus to sync passwords between AD and Office 365 in real time
- Login to ADSelfService Plus with administrator credentials.
- Navigate to Configuration > Self-Service > Password Sync/Single Sign-On.
- Click Add Application and select Office 365.
- In the Office 365 Configuration page, select the Password Synchronizer option and enter the required details such as the Office 365 tenant name and authentication details.
- Select the Self-Service Policies from the drop-down list.
Note: The self-service policies can be configured based on OUs and groups. It determines which users have access to the self-service password reset feature and whose passwords will be synced from on-premises AD to Office 365.
- Click Save.
Apart from being easy to configure, using ADSelfService Plus to sync passwords between AD and Microsoft 365 has several advantages when compared to PowerShell scripts.
- Real-time AD to Azure AD password sync:
Any password change or reset operation in on-premises AD is instantly synchronized with Azure AD and Microsoft 365, leaving no room for password mismatch even for seconds.
- Granular enforcement of password sync:
ADSelfService Plus allows you to enable password sync between AD and Microsoft 365 for the entire domain or only for users in specific OUs or groups.
- Self-service password reset:
Apart from password sync, ADSelfService Plus also supports self-service password reset for AD, Microsoft 365, and other cloud applications. Users can reset their AD or Microsoft 365 passwords right from the login screen of their Windows, macOS, or Linux machines, or using the ADSelfservice Plus Android or iOS app.
- Password blacklisting:
The Password Policy Enhancer feature in ADSelfService Plus contains advanced password settings such as dictionary rules, and pattern checker. It even includes an integration with Have I Been Pwned?, which prevents users from setting weak or breached passwords for their AD, Microsoft 365, and other integrated enterprise accounts to further improve security.
FAQs
1. How do you sync AD password with Microsoft 365?
You can use Azure AD Connect, which synchronizes local and Azure AD passwords. Alternatively, you can use PowerShell cmdlets to force the synchronization of passwords between the two directories whenever required. You can also deploy a password synchronization solution, such as ManageEngine ADSelfService Plus, to sync passwords automatically and efficiently between on-premises AD and Microsoft 365, formerly known as Office 365.
2. Why should I use a password synchronizer solution instead of PowerShell to sync passwords between local AD and Microsoft 365?
Using PowerShell scripts to sync passwords involves both writing and maintaining complex PowerShell scripts. Using a password synchronizer, on the other hand, automatically syncs passwords to Microsoft 365 whenever they are changed or reset, making IT management less of a burden for IT admins.
3. What are the prominent features of ADSelfService Plus' Password Synchronizer?
ADSelfService Plus provides automatic password sync, which enables you to synchronize AD passwords with Azure AD, Microsoft 365, and other enterprise applications. When deployed, this solution automatically syncs web-based or native AD password changes or password resets in real time. Users will then have only one AD password to remember to log into their Azure AD and Microsoft 365 accounts.
Furthermore, ADSelfService Plus provides self-service password password management for Microsoft 365 and Azure, strong and unified password policies, and password-related notifications to end users. Schedule a personalized web demo with our solution experts to learn more about ADSelfService Plus' password synchronizer and related capabilities. You can also download a free, 30-day trial version of the solution to explore on your own.