Forcing a full sync after enabling DirSync Password Synchronization

The latest version of DirSync, or to use it’s full name Windows Azure Active Directory Sync, provides a new feature removing the requirement to use AD FS for some customers, or if you’re using DirSync without AD FS now use your Active Directory credentials to log on to Office 365 services.

If you’re upgrading from a previous version of DirSync (for example, the Microsoft Online Services Directory Sync Tool) and you choose to enable Password Synchronization then you may experience the following issue:

  • User passwords are not synchronized until each user resets their password.

You can force a full password synchronization against the local Active Directory by following these steps:

  • On the DirSync server, open Registry Editor as Administrator
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence
  • Create a new key named PasswordSync
  • Create a new DWORD value within the new key named with the value 1

This should show as below:

Next, ensure the correct permissions are set on the new PasswordSync key. Right click MSOLCoExistence and choose Properties. Choose Permissions, then Advanced.


Select the Azure AD Service Account (Which may be prefixed AAD_ or MIISService) and
choose edit:

Next, change the Apply To select from This Key Only to This Key and Subkeys

After applying permissions, close Registry Editor and restart the following service:

  • Forefront Identity Manager Synchronization Service

After service restart, a full synchronization should begin. Check the DirSync server’s Event Viewer for Event ID 656 which signifies that password change request events associated with a full sync are commencing.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top