Azure AD Password Sync – “no recent synchronization” – Event ID 611 – “replication access was denied”


Azure AD Connect (v1.1.614.0) Password Synchronisation has stopped working.

In the Office 365 Admin Centre, DirSync Status shows no recent password synchronisation.



The following error is flagged on the Azure AD Connect Server.

Event ID: 611 (Log: Application, Source: Directory Synchronization)
Level: Error
Description: Password synchronization failed for domain:
Details: Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)


The following permissions were missing from the local Azure AD sync account.  Both are required to allow the account to read password hashes from local AD.

Replicating Directory Changes
Replicating Directory Changes All


Assign the missing permissions by using the ACL editor as below, or you could use ADSIedit.

Open the Active Directory Users and Computers snap-in.
On the View menu, click Advanced Features.
Right-click the domain object, e.g. “”, click Properties.
On the Security tab, click Add.
In the Select Users, Computers, or Groups dialog box, select the local Azure AD sync account, and then click Add.
Click OK to return to the Properties dialog box.
Click the local Azure AD sync account.
Click to select the Replicating Directory Changes and Replicating Directory Changes All check box.


Click Apply, and then click OK.
Close the snap-in.

Restart the Microsoft AD Azure Sync Service and this will resolve the issue.

You will see Event ID 650 (Provision credentials batch start), and 656 (Password Change Request) events logged.

After a short wait, in the Office 365 Admin Centre, DirSync Status shows recent password synchronisation.



One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s