Troubleshoot Azure AD synchronization issues with these strategies

Identifying AD synchronization issues is easy, but fixing them can be tricky. Resolve synchronization errors and ensure user accounts are operational with these best practices.

Once you set up directory synchronization to sync on-premises Active Directory with Windows Azure Active Directory,...

be sure to monitor the synchronization to ensure changes are replicated successfully. You can implement monitoring mechanisms to trigger alerts in the event of AD synchronization issues, but in order to actually address any issues, you need to resolve the conflicts with objects.

Resolve InvalidSoftMatch errors

Once a full AD synchronization is complete, the directory synchronization tool performs delta synchronization. During delta synchronization, the tool checks attributes of the objects that have been changed and new objects that need to be replicated to Windows Azure Active Directory (WAAD). For example, if you change a user account in on-premises AD, when DirSync performs the next delta synchronization, it checks what has been changed. DirSync follows two rules before the modified or new objects can be replicated: Hard Match and Soft Match.

When it comes time to update or add an object in WAAD, Azure AD matches the object using the SourceAnchor property of the object to the ImmutableID property of the object in WAAD. This match is generally called a Hard Match in AD synchronization. If the SourceAnchor data doesn't match the ImmutableID data, Azure AD performs a Soft Match. Soft Match checks the value of ProxyAddresses and UserPrincipalName attributes before the object can be updated or added. You might hit Soft Match errors if Hard Match doesn't find any matching object and Soft Match does find a matching object, but that object contains a different value in the ImmutableID property. This situation usually occurs when the matching object was synchronized with another object in on-premises AD. This type of error is called InvalidSoftMatch. To resolve InvalidSoftMatch errors, run the Azure AD Connect Health for Sync tool, which can help you identify conflicting objects. Once the conflicting objects have been identified, check to see which object shouldn't be present in WAAD. Once identified, either remove the duplicate object or change the value, and then let the directory synchronization attempt a replication of the objects automatically. You can also force directory synchronization as explained below.

Make sure AD synchronization user account is operational

It's important to ensure that the account you configure for synchronization is operational. By default, accounts created in Azure cloud are set to expire within 90 days. The password for the synchronization account must be set to never expire. To change the synchronization service account to never expire, you can use the Set-MsolUser PowerShell cmdlet. First, you need to connect to Azure by running the Connect-MsolService cmdlet and then find the synchronization service account by running the Get-MsolUser –UserPrincipalName [email protected] cmdlet. Once the synchronization service account is identified, set the account's password to never expire by using the Set-MsolUser cmdlet as shown below:

Set-MsolUser –UserPrincipalName [email protected] –PasswordNeverExpires $True

There's no need to restart the directory synchronization service for the changes to take effect.

Perform a full or delta synchronization

Note that the directory synchronization tool performs a full AD synchronization when you first install the tool. Once the full synchronization is complete, it continues to perform delta synchronizations. If you need to trigger a full synchronization immediately, use the PowerShell cmdlets that are available with the installation of the directory synchronization tool. The Start-ADSyncSyncCycle PowerShell cmdlet can help you perform either a full or delta synchronization.

Note that the directory synchronization tool performs a full AD synchronization when you first install the tool.

Run Import-Module ADSync to import the directory synchronization modules and then execute the PowerShell commands below to initiate a full or delta synchronization.

To force full synchronization, execute the Start-ADSyncSyncCycle –PolicyType Initial PowerShell command, and to force delta synchronization, execute the Start-ADSyncSyncCycle –PolicyType Delta PowerShell command. If you encounter any issues, check the event logs.

General purpose built-in tools

The directory synchronization installation creates various files under the C:\Program Files\Windows Azure Active Directory Sync folder. The two most important files are ConfigWizard and DirSyncSetup.Log. ConfigWizard allows you to reconfigure the AD synchronization settings. For any synchronization-related errors that might have occurred during the initial or delta synchronization, check the DirSyncSetup.Log file.

Next Steps

Learn how Azure AD differs from classic Active Directory 

What can the Azure AD Connect vulnerability teach enterprises?

Navigate new AD features in Windows Server 2016

Dig Deeper on Virtual machine monitoring, troubleshooting and alerting