After receiving a warning from Azure that the password sync has not run for 1 hour I started checking where this could come from.
The first place is to check the Office365 portal "Directory sync status" page under "Health":
https://admin.microsoft.com/Adminportal/Home?#/dirsyncmanagement
The second place is to check the "Azure AD Connect" page in the Azure portal:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect
Now you know that there is a problem, the next step is to check the Azure ADConnect server itself.
After opening the Synchronization Service Manager you are greated with this error, well in my case anyway:
The thing to check is the account that is being used to sync with:
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1" Get-ADSyncADConnectorAccount Copy the "ADConnectorAccountName" |
Run the following commandlet's with your ADConnectorAccountName value:
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads |
Start-ADSyncSyncCycle -PolicyType Initial -Verbose |