Password Hash Sync doesn’t work for all users

Ever had a Password Hash Sync installation, tested a couple of users and the next day when going Live, the bigger bunch of users can’t login?

Your browser tells us the username and/or password is wrong.

We check username and password. We check the Event Log. We check the users that worked yesterday and they still work today.

Then you gain Access to one of the not working users password, which wouldn’t be that hard to Guess, if you know what I saying?

Azure Active Directory or Office 365 in this case has a default Password Policy, which is set to Strong and that has consequences for the Password Hash you try to Synchronize into Azure Active Directory.

If Your Active Directory Password Policy isn’t Meeting the Policy of Azure Active Directory, the password hash will not work.

In some situations this might race a flag and help the users obtain a more secure password, and that is good, but if the users are to strong about it and the leadership doesn’t see it necessary you might one to losen up the Password Policy in Azure Active Directory.

To ease all accounts from the stong password policy, we must use PowerShell, so start a PowerShell With Azure AD Cmdlets

Get-MsolUser | Set-MsolUser -StrongPasswordPolicy $false

We can also do this to a certain Group of People, not affecting the Global Admins which we recommend have a Strong Password Policy (also MFA). We can either create a Security Group to add all normal members, or we can for the moment make a placeholder in PowerShell by filtering out Global Administrators.

Keep in mind this must be done for each new user, as we can’t change the default behavior.


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts