Microsoft suggests that administrators become familiar with a few things to effectively troubleshoot synchronization issues, such as; being able to deactivate and reactivate directory synchronization, understanding and unhealthy identity synchronization notification, being able to view directory synchronization errors in the Microsoft 365 admin center, being familiar with identity synchronization and duplicate attribute resiliency, understand the Directory Synchronization troubleshooter, being familiar with the Synchronization Service Manager, and troubleshooting password hash synchronization with Azure AD Connect. So, with that, let's go through one by one to fully understand the different troubleshooting steps for each. Starting off, we have understanding the effects of deactivation and reactivation of directory synchronization. I'm going to provide a scenario and explain how it functions to exemplify where an issue could potentially occur. Suppose an organization enabled directory synchronization, then disabled it, and then re-enabled it. What is actually happening in this situation?

When an organization enables synchronization with Azure AD Connect, the authority is transferred to the on-premises active directory, meaning, any changes made in that environment must go through the on-premises management tools.

Once the synchronization is disabled, the authority is then changed back to Microsoft 365. And while those changes made while synchronized will remain, the management then transfers from the on-premises tools to the cloud tools in Microsoft 365. And then if we go that step further and turn synchronization back on, all of those changes made in Microsoft 365 while it was the authority are then overwritten by the new authority of the on-premises directory. In this scenario, the authority swapped multiple times, and as such, this could lead to confusion when adjusting your environment. 

Whenever managing your environment, remember which tool is in fact the authority, and if there are synchronization errors, ensure that you are making changes to the correct tool. Next up, we have the unhealthy identity synchronization notification and accessing directory synchronization errors in the Microsoft 365 admin center. Unhealthy identity synchronization notifications inform the administrator about directory synchronization issues via the technical contact email with notifications, which can alert admins when there are issues.

You can easily find these alerts by navigating to the Microsoft 365 admin center and locating the DirSync tile within the home tab. It breaks down affected objects by attribute properties. It also shows issues when attributes are not unique, which ties directly into identity synchronization and duplicate attribute resiliency. When you initially provisioned directory synchronization, you may run into duplicate attributes. Historically, this could cause the provision to fail until the objects are updated or removed, so there are no longer duplicates. However, Azure AD Connect does have a duplicate resiliency feature, so that this issue no longer flat out fails the provisioning process. If you enable duplicate resiliency, any duplicate attributes found within Azure AD while provisioning are automatically quarantined and it assigns a placeholder value to the attribute. For example, an environment that has a duplicate user principle name would create a placeholder for that attribute. This placeholder is formatted as the original prefix, <4DigitNumber>@InitialTenantDomain>.onmicrosoft.com. It's important to note, that once you decide to enable duplicate attribute resiliency, that this feature cannot be disabled or turned off.

Next up we have the directory synchronization troubleshooter, which is exactly what it sounds like. This tool allows administrators to run scans of their active directory environment and provides guidance on potential changes to fix synchronization issues. Specifically, you can run two different types of scans; a quick scan and a full scan. A quick scan only scans event logs and Microsoft 365 settings, while a full scan goes through your active directory objects. I'm not going to go over every single possible result, but if you're interested in the specifics of what each result means, I have linked a Microsoft page for you to review below. 

It is important to keep in mind that when running the synchronization troubleshooter, the user must have read permissions in the on-premises directory and Microsoft 365 Tenant in order to actually run that tool. Next, we have the synchronization service manager, which checks synchronization issues and specifically focuses on certain operations and whether they were completed successfully. Synchronization will run every 30 minutes and provides you with information in specific operations. These operations are; import on the AD Connector, import on the Azure AD Connector, export on the AD Connector, export on the Azure AD Connector, and then Full Sync on the AD Connector, and Full Sync on the Azure AD Connector.

Once a sync is run, you can validate the status and find any errors in the processes. You can also run this sync manually if you don't want to wait 30 minutes for the auto sync to run from within the synchronization service manager or by using a Windows Power Shell command. And finally, we have troubleshooting password hash synchronization with Azure AD Connect. Generally, issues with a single object have to do with temporary passwords, as they are not synced to Azure AD. In this scenario, admins should ensure that the user must change password at next login option is not enabled. Now that we understand some of the nuances of troubleshooting, let's look more in-depth about specific errors that can occur during Azure AD synchronization.