You may encounter a condition in which Azure Active Directory synchronization stops working, for example in an environment that is using directory synchronization for Office 365.
The Operations view of the Synchronization Service Manager (miisclient.exe) will display a status of “stopped-extension-dll-exception” for operations on the Windows Azure Active Directory Connector.
The Application event log of the directory synchronization server may log the following entries:
Log Name: Application Source: Directory Synchronization Date: 26/02/2015 10:34:00 AM Event ID: 0 Description: Update your password and try again. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support. (0x80048831) Log Name: Application Source: Directory Synchronization Date: 26/02/2015 10:34:00 AM Event ID: 109 Description: Failure while importing entries from Windows Azure Active Directory. Exception: Microsoft.Online.Coexistence.ProvisionException: Update your password and try again. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException: GetAuthState() failed with -2147186688 state. HResult:0.
A likely cause of this issue is an expired password for the account used to connect to Azure Active Directory. To determine which user account is used look in the Management Agents view of the Synchronization Service Manager (miisclient.exe), open the Properties of the Windows Azure Active Directory Connector and select the Connectivity settings.
If you know the expired password you can login to the Office 365 portal with that username and password, and follow the prompts to update the expired password. Then return to the Synchronization Service Manager and update the configuration with the new password.
If you would like to set a non-expiring password for the account you can configure this using the Azure Active Directory PowerShell Module.
Install the Azure AD PowerShell module if you have not already installed it. Open a PowerShell console and connect to Azure AD, entering your admin credentials when prompted.
PS C:\> Connect-MsolService
Configure the account to have a non-expiring password. When you do this for an account with an expired password the existing password will begin working again as well.
PS C:\> Set-MsolUser -UserPrincipalName firstname.lastname@example.org -PasswordNeverExpires $true
The next directory synchronization operations should complete successfully.