When running an Office 365 with Active Directory synchronisation from your on-premise domain, you may encounter the issue where passwords for one, some or all accounts do not sync anymore. This can particularly happen if changes were made to the configuration of the AD sync (such as change in OUs, change of rules, etc.).

Azure Active Directory Sync tool

If you're using Azure Active Directory Sync tool (old method) for synchronisation, on the server running AD sync, start Powershell, then run these:

Import-Module DirSync
Set-FullPasswordSync
Restart-Service FIMSynchronizationService -Force

Azure AD Sync Service or Azure AD Connect

Run the following Powershell script on the server running Azure AD Sync Service or Azure AD Connect:

$adConnector  = "contoso.com"
$aadConnector = "contoso.onmicrosoft.com - AAD"

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Replace the first two parameters:

• $adConnector = the FQDN of your on-premise AD domain
• $aadConnector = the FQDN of the Office365 tenant (the .onmicrosoft.com domain).

Please note that the script requires PowerShell version 4.0, which needs to be installed on 2008R2.

After running either of the methods above, trigger the sync software to perform a full sync.