Azure AD Password Sync Denied

Event 611, RPC Error 8453 Replication access was denied in Azure AD Sync Services

Issue:  New Passwords are not syncing to AAD from On-Premises. It throws an error with an Event ID: 611 in the Event Logs with the following message.

Password hash synchronization failed for domain:, domain controller hostname:, domain controller IP address: Details:

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy


The reason for this error is that the account configured for the Azure AD Connect Sync does not have proper permission to sync the password changes to the AAD.

To provide the right permission,

Step 1: Open Active Directory Users and Computers

 Step 2: Right Click on the –> Security –> add the Service account configured for the Azure AD Connect and select two permissions shown in the below screenshot

  1. Replicating Directory Changes

2. Replicating Directory Changes All

Once permissions are set, do run the Azure AD Connect Full Sync and do validate the password Sync is happening as Expected.

Leave A Comment

Your email address will not be published. Required fields are marked *