M365 User's password not syncing

I have a staff member who hasn’t been able to access their email for a few days, and in O365 their account was blocked for sign in, so I unblocked it, but then it blocked again 30 minutes later (and wouldn’t let us sign in anyway). I’m trying to figure out why this user is getting blocked. I see zero login attempts (failed or otherwise) for this user in M365.

OK, while typing this and testing things I finally realized that if I reset his password manually in O365 to match his password in AD, then I could sign in to office.com, but still couldn’t sign in to Outlook Web Access.

I haven’t seen this issue (yet) with anyone else, and we’ve been on O365 for a few years with Directory Sync for just as long. His mailbox is on-prem, but I have other on-prem users that don’t experience this. Any thoughts on how I can track this down?

Now that I’ve un-enforced MFA on his account and logged in successfully to Office.com, I see successful login attempts in the Azure AD Sign-in list.

So I guess my final questions are how can I troubleshoot why can’t he log in to his mailbox on local AD and how can I troubleshoot why his password isn’t syncing from AD?

Have you tried to manually synced all?
Don’t know if this is the same? It happened a couple of times before O365 for me on OWA.
Have a couple of users who used their own laptops to sign in on OWA. They never logged out and also auto saved the password and just closed their laptop. The next time they try to login after the password is changed, it keeps locking their account. I finally figured out that they had logged in somewhere and it was trying to sign in repeatedly on the old password. Told them to closed their internet browsers and restart their laptops and then re-login under the password in OWA and it works after that.

How do you manually sync? Start-ADSyncSyncCycle ?

Do you use -PolicyType Initial?

(I haven’t manually synced all year, so I’m going through my old notes which may be woefully out of date)

Under the Synchronization Service Manager on Azure - Actions - Run, choose Full Synchronization.

I have no clue how I didn’t see this, but the user account had been de-activated. Apparently we ran our deactivate user script on the wrong user. Judging by the log files my script generates, I have a VERY strong suspicion I was the one who did it. :frowning:

That would be the main cause of your problem.