O365 | Password hash synchronization agent failed to create a key for decryption

  • by

We encountered "Password hash synchronization agent failed to create a key for decryption" and it cause local AD Users’ password is NOT Synced to Office 365 recently

O365-FIPS-01

Refering to Password hash synchronization with Azure AD Connect sync from Microsoft, all the permission was configured properly for ADSync account, but it just refuse to sync the password to O365 due to unknown reasons

Resolution

We suspect this might due to the users MSOL_XXXX (Domain User) do not have enought right to read the password from AD, and try to change it to use Domain Administrator

O365-FIPS-02

Restart the ADSync and perform a Delta Sync again

Import-Module ADSync

#Restart ADSync Service
Restart-Service -Name ADSync

#Delta Sync
Start-ADSyncSyncCycle -PolicyType delta

Login to Office 365 with PowerShell and Verify the DirSync Feature is enabled

Get-MsolDirSyncFeatures

ExtensionData                                    DirSyncFeature                                   Enabled
-------------                                    --------------                                   -------
System.Runtime.Serialization.ExtensionDataObject DeviceWriteback                                    False
System.Runtime.Serialization.ExtensionDataObject DirectoryExtensions                                False
System.Runtime.Serialization.ExtensionDataObject DuplicateProxyAddressResiliency                     True
System.Runtime.Serialization.ExtensionDataObject DuplicateUPNResiliency                              True
System.Runtime.Serialization.ExtensionDataObject EnableSoftMatchOnUpn                                True
System.Runtime.Serialization.ExtensionDataObject EnforceCloudPasswordPolicyForPasswordSyncedUsers   False
System.Runtime.Serialization.ExtensionDataObject PasswordSync                                        True
System.Runtime.Serialization.ExtensionDataObject SynchronizeUpnForManagedUsers                       True
System.Runtime.Serialization.ExtensionDataObject UnifiedGroupWriteback                              False
System.Runtime.Serialization.ExtensionDataObject UserWriteback                                      False

Verify the Last PasswordSync Time

Get-MsolCompanyInformation

SelfServePasswordResetEnabled            : True
UsersPermissionToCreateGroupsEnabled     : True
UsersPermissionToCreateLOBAppsEnabled    : True
UsersPermissionToReadOtherUsersEnabled   : True
UsersPermissionToUserConsentToAppEnabled : True
DirectorySynchronizationEnabled          : True
DirSyncServiceAccount                    : Sync
LastDirSyncTime                          : 14/2/2020 5:14:51 AM
LastPasswordSyncTime                     : 14/2/2020 5:11:03 AM
PasswordSynchronizationEnabled           : True

Manually reset the password for test account (testo365) and comfirmed that the password is synced to O365 successfully

Get-MSOlUser -UserPrincipalName "testo365@.com.my"  | Select-Object UserPrincipalName, LastDirSyncTime, LAstPasswordChangeTimeStamp

UserPrincipalName            LastDirSyncTime      LastPasswordChangeTimestamp
-----------------            ---------------      ---------------------------
testo365@.com.my 14/2/2020 5:59:54 AM 14/2/2020 6:03:09 AM  

Optional Steps

Convert the UTC time to Local Time with PowerShell Function Get-LocalTime

Get-LocalTime ((Get-MSOlUser -UserPrincipalName "testo365@.com.my").LAstPasswordChangeTimeStamp)
UTC Time: 14/2/2020 6:03:09 AM
Local Time: 14/2/2020 2:03:09 PM