O365 | Password hash synchronization agent failed to create a key for decryption

We encountered "Password hash synchronization agent failed to create a key for decryption" and it cause local AD Users’ password is NOT Synced to Office 365 recently


Refering to Password hash synchronization with Azure AD Connect sync from Microsoft, all the permission was configured properly for ADSync account, but it just refuse to sync the password to O365 due to unknown reasons


We suspect this might due to the users MSOL_XXXX (Domain User) do not have enought right to read the password from AD, and try to change it to use Domain Administrator


Restart the ADSync and perform a Delta Sync again

Import-Module ADSync

#Restart ADSync Service
Restart-Service -Name ADSync

#Delta Sync
Start-ADSyncSyncCycle -PolicyType delta

Login to Office 365 with PowerShell and Verify the DirSync Feature is enabled


ExtensionData                                    DirSyncFeature                                   Enabled
-------------                                    --------------                                   -------
System.Runtime.Serialization.ExtensionDataObject DeviceWriteback                                    False
System.Runtime.Serialization.ExtensionDataObject DirectoryExtensions                                False
System.Runtime.Serialization.ExtensionDataObject DuplicateProxyAddressResiliency                     True
System.Runtime.Serialization.ExtensionDataObject DuplicateUPNResiliency                              True
System.Runtime.Serialization.ExtensionDataObject EnableSoftMatchOnUpn                                True
System.Runtime.Serialization.ExtensionDataObject EnforceCloudPasswordPolicyForPasswordSyncedUsers   False
System.Runtime.Serialization.ExtensionDataObject PasswordSync                                        True
System.Runtime.Serialization.ExtensionDataObject SynchronizeUpnForManagedUsers                       True
System.Runtime.Serialization.ExtensionDataObject UnifiedGroupWriteback                              False
System.Runtime.Serialization.ExtensionDataObject UserWriteback                                      False

Verify the Last PasswordSync Time


SelfServePasswordResetEnabled            : True
UsersPermissionToCreateGroupsEnabled     : True
UsersPermissionToCreateLOBAppsEnabled    : True
UsersPermissionToReadOtherUsersEnabled   : True
UsersPermissionToUserConsentToAppEnabled : True
DirectorySynchronizationEnabled          : True
DirSyncServiceAccount                    : Sync
LastDirSyncTime                          : 14/2/2020 5:14:51 AM
LastPasswordSyncTime                     : 14/2/2020 5:11:03 AM
PasswordSynchronizationEnabled           : True

Manually reset the password for test account (testo365) and comfirmed that the password is synced to O365 successfully

Get-MSOlUser -UserPrincipalName "[email protected]"  | Select-Object UserPrincipalName, LastDirSyncTime, LAstPasswordChangeTimeStamp

UserPrincipalName            LastDirSyncTime      LastPasswordChangeTimestamp
-----------------            ---------------      ---------------------------
[email protected] 14/2/2020 5:59:54 AM 14/2/2020 6:03:09 AM  

Optional Steps

Convert the UTC time to Local Time with PowerShell Function Get-LocalTime

Get-LocalTime ((Get-MSOlUser -UserPrincipalName "[email protected]").LAstPasswordChangeTimeStamp)
UTC Time: 14/2/2020 6:03:09 AM
Local Time: 14/2/2020 2:03:09 PM

Leave a Comment