This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 89%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZD%3C/text%3E%3C/svg%3E)
Hi everyone, I've recently taken over some responsibilities from a coworker who left and a lot this is new to me, so please forgive me if any of this is explained poorly or if I'm just missing something. The coworker also was fairly new to AWS and a lot of this setup is a bit mangled, but I will explain.
We're trying to set up an AWS managed directory that's synced to our microsoft account. The end goal is to be able to have single sign on to accounts that are properly set up to have access to various AWS resources, using their microsoft account credentials. We've had our microsoft account for a long time, and we just started to use AWS. The AWS Directory is only partly set up.
We currently have 2 AWS directories, one that was previously created by the coworker, and one that I've been working on to try and get working from a fresh domain.
The previous one does have some manually created users that are being used to give some of our users access the resources on our AWS account. There was an attempt to sync with this domain, but the directory name did not match the domain name for the microsoft account, and its causing issues. It also has some Entra Sync errors, but these are mostly just duplicate entry errors because a lot of our groups and users have had the same email set at their contact email. Its an easy fix but since its not on the domain that I'm working on I haven't bothered with it.
The current domain is completely fresh, no users other than the domain user that is required for Microsoft Entra Sync Connect. The domain names match so theres no longer an error there. The Sync Connect installer worked perfectly. The instructions I followed are here:
Sync services doesn't give me any errors, and says that the syncs are performed correctly. The issue is that the AWS Active Directory is not updated.
The domain user that is created in the AWS directory and the Admin user is synced to the microsoft account like we would expect, but none of our users from the microsoft account are copied back to AWS. I don't seem to get any error messages.
As mentioned we have a few Entra sync errors, but they are for the other domain. Beyond that the only other error messages I get is in the event viewer, and that error is "the management agent "{our domain}" step execution completed on run profile "export" with errors.", with an error code of 6100. Digging into this, I found the log in the Sync Service Manager. The error is just that the sync service doesnt have permission to sync one of the users to Microsoft, error code 8344. This user seems to be one of the users that were automatically created, it's named "AWS_TRHgFN9hqSl", and Im not totally sure what it is, however its not a user we need in Microsoft. Since the domain user and admin user synced (As well as a test user that I will describe below) synced, I cant imagine that it would prevent it all from working.
I was wondering if we may have a misunderstanding of how Entra Sync Connect works, I wasn't sure if we needed to manually create the users in the AWS AD domain and then Entra will sync them. To test this I created a user that had all of the exact information that another user had. Once it synced, it had created a new user in our microsoft account that had the same name/email, just with a few numbers added.
If the connect sync does work the way I thought was supposed to, and it does create all the users from our microsoft domain in our AWS domain, it feels like its some kind of permissions issue. I logged into the EC2 with the AD tools as the domain user and it seems like I'm able to create new users no problem. Is there some other permission that the domain user needs? Or does the Entra Connect Sync just not work like we expected it to? Or am I just missing something here? Any help would be greatly appreciated!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi Zac Demmel,
Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.
Based on your query, below is my understanding: You have created AWS AD directory and syncing them using Microsoft Entra connect.
Microsoft Entra connect works as a single way synchronization. If you have created a user in AWS directory and add them in sync scope you will be sync them to Microsoft AD account. This is the expected working scenario. You can only sync the users once you create them in your AD. If you want to sync from Microsoft Account to AWS AD which is not possible. I would suggest you go through this link to understand how an Entra connect sync works with synchronization.
I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"
Hi Zac Demmel,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hi Zac Demmel,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
I apologize for the delay, Im meeting with our consultant today. Once I do I'll add a response and close the question, thank you!
Hi Zac Demmel,
Thanks for your response,
We will be waiting for your response on the thread. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know by responding to these comments. Happy to assist you.
I did have an additional question. If Entra is a one way Sync, I should be able to create a user in our AWS Directory, let Entra sync it, and then the password that was set for that user in AWS should be the password for the Microsoft user, correct? I've been testing this and I can't seem to log in as the new user with that password
Hello, sorry I do have one additional question,
If that's the case and it is a one way sync, I should be able to create a user in AWS, let Entra sync it to Microsoft, and then I should be able to use the password that was set in AWS to log in to a microsoft account as that user, correct?
I've tried doing just that, but I can't seem to log in with that password, and I also can't seem to change the password of the microsoft user on the microsoft side either, as I get this error:
"Unfortunately, you cannot reset this user's password due to a policy or error in your on-premises environment."
Is there some trick to this or is this also not something thats possible? Im doing some internal research now, but I wanted to check to make sure this was something we could do in the first place
Hi Zac Demmel,
Thanks for your response,
You can sync the account you have created in on-premises AD and Microsoft Entra ID. These users will sync through AD connect along with their passwords and you cannot change their passwords from Entra ID, you can only change the password from on premises itself. Since you have mentioned that you are not able to sign in using the password, could you please confirm whether you have enabled PHS in your AD connect. This password hash will sync your user passwords to Azure. To enable PHS for your AD connect, please check this link.
If it is already enabled, please follow the troubleshooting of password hash synchronization using this link. You can also perform the troubleshooting from Azure AD connect wizard following this link.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".
I do believe that it is something on our side of things, thank you for the information!
Sorry to add to this, but I did have an additional question.
I have a permissions issue after setting up the PHS.
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetryT
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
From what it looks like, I need to add the permissions "ReplicateDirectoryChanges" and "ReplicateDirectoryChangesAll" to the domain user for Entra. I added the user to one of the groups generated from Entra named "AWS Delegated Replicate Directory Changes Administrators", which has the first permission, but not the latter.
I tried going to the active directory users and groups tool to either directly assign the missing permission to the user or to update the group, but the domain admin (The one generated with the AWS domain that i do most of my work in) doesn't seem to have permissions to do so, and the EC2 Administrator (The one you ahve to upload the security key to get the password from) doesn't have access to the Active Directory Users and Groups tool, so I seem to be gridlocked into not being able to get the permissions I need. Any ideas here?
Hi Zac Demmel,
Thank you for your response,
Based on the error, I found that your ADDS connector account do not have these permissions: Replicating Directory Changes, Replicating Directory Changes All.
This is documented in the following link. Now you need to perform the troubleshooting by providing those permissions to your ADDS connector account. Here is the document which helps in you adding the permissions to the account: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account#determine-your-ad-ds-connector-account.
This document helps you determining your ADDS connector account and steps to provide permissions using PowerShell commands.
If you would like to add permissions from AD connect troubleshooter, you can follow this link. Once you open the Azure AD connect troubleshooter, you will find the Troubleshoot Password Hash Sync. Once you select it, you need to find AD DS account does not have correct permissions. From here you can choose the required permissions and add it accordingly.
Once you add the permissions, restart the AD sync service and perform the full sync. The issue will be sorted.
Thanks,
Saiteja K.
This does look promising! Unfortunately I did try both through normal powershell and through the troubleshooter to run the command "Set-ADSyncPasswordHashSyncPermissions", and I get the result below. I tried doing this as the domain admin. I also tried doing this as the VM administrator, but it doesn't even have access to the domain.
It seems like somehow my domain admin needs specific permissions to assign permissions, which I have been unable to configure, but that admin is the highest authority that exists, is there something that needs to be done for this user?
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN 'CN=domain user,OU=Users,OU=controlsoftinc,DC=controlsoftinc,DC=com'
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Hash Synchronization permissions" on target "controlsoftinc.com".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
Grant permissions on all Domains: AD Domain 'DC=controlsoftinc,DC=com'...
GrantAclsNoInheritance : Specified operation failed with ldap error: 00000005: SecErr: DSID-03152E13, problem
4003 (INSUFF_ACCESS_RIGHTS), data 0 Insufficient Rights . Access is denied. The command failed to complete
successfully.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1871 char:17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi Zac Demmel,
Thanks for your response,
I believe you need to add one of the users to domain administrator and enterprise administrator group which will give you full access on the tenant. Once you provide the access login to the machine using the same account to make sure you have full access while running the PowerShell.