You configure Azure AD Connect to synchronize your on-premises Active Directory Domain Services (AD DS) domain with your Office 365 subscription. You enable the password hash synchronization feature. Then, you sync all user accounts that are assigned to an employee. You also configure group-based filtering.
A user indicates that she cannot log in to Office 365 applications. However, she is able to log in successfully through her company's workstations.
You need to troubleshoot the password synchronization process.
After some investigation, you realize that this user has been moved to another job position in the company.
What is the most likely cause of the login problem?
The most likely cause of the problem is that the user object has been moved to another security group. You only sync user accounts that are assigned to an employee. You manage these users by using AD DS security groups. If you accidentally move a user out of the security group that you have configured to synchronize to Azure AD, that user is removed from the Azure AD tenant and will not be able to log in. You need to move the affected user account back to the correct security group for Azure AD Connect to synchronize it again with Azure AD tenant.
The user object being selecting the User must change password at next logon setting would not make the user unable to log in. This setting would make the password not synchronized with the Azure AD tenant. Temporary passwords are not synced. In this scenario, the user was able to correctly log in to her company's workstation. She was not asked to change her password.
The user object being disabled would not make the user unable to log in. Azure AD Connect will not synchronize disabled objects. In this scenario, the user was able to log in to her computer, which means that the user object was not disabled.
Configuring the cloudFiltered attribute would not make the user unable to login. In this scenario, you are using group-based filtering. Attribute filtering is a more granular technique to filter the objects that will be added to the metaverse and then synced with Azure AD tenant. If the cloudFilterted attribute is present in an object, that object will not be synced with Azure AD.