New Passwords are not syncing to AAD from On-Premises. It throws Error with an Event ID : 611 in the Event Logs with following message.
Password hash synchronization failed for domain: windowstechpro.com, domain controller hostname: DC2.windowstechpro.com, domain controller IP address: 192.168.139.132. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
The reason for this error is that the account configured for the AADConnect Sync does not have proper permission to sync the password changes to the AAD.
To provide the right permission,
Step 1: Open Active Directory Users and Computers
Step 2: Right Click on the Windowstechpro.com –> Security –> add the Service account configured for the AADConnect and select two permissions shown in the below screenshot
- Replicating Directory Changes & 2. Replicating Directory Changes All
Once permissions are set, do run the AADConnect Full Sync and do validate the password Sync is happening as Expected.