When you have implemented Directory Synchronization between your on-premises Active Directory and Office 365, and you move a user in Active Directory out of the DirSync scope (for example to an Organizational Unit that’s not synchronized) the user is removed from Office 365.

However, when you move the user back to an Organizational Unit that’s synchronized (i.e. in-scope) the password is no longer synchronized. So, when this user tries to logon to Office 365 services, the logon attempt fails. Only when you change the password in Active Directory, the new password is synchronized to Office 365, and the user is able to logon again to the service.

Very similar to this, when a disabled user in the on-premises Active Directory is enabled, the password is not synchronized to Office 365.

This is a known issue with DirSync or Azure AD Connect (up to November 2015). On November 4, 2015 Microsoft released a new version of Azure AD Connect that fixes this particular issue (together with a number of other fixes of course).

You can find more information regarding the updated version of Azure AD Connect on Sander Berkouwer’s blog A new version of Azure AD Connect was released today. You can download the new version of Azure AD Connect on the Microsoft Download Site.