Keep in Sync with Microsoft Azure AD Sync Password Writeback

Published:3 August 2022 - 8 min. read

The on-premises infrastructure typically remains when your organization’s directory service moves to the cloud, particularly Azure Active Directory. This co-existence is known as a hybrid setup and can often confuse end users because some tasks they need to do on-premises while some are in the cloud.

One example is resetting or changing passwords. Some organizations require password change in their on-premises AD. If the users attempt to reset their passwords in Azure AD, they get an error, which leads to service desk calls and a decline in user experience.

What’s the right move? You should enable password writeback in Azure AD and your hybrid Active Directory infrastructure. Stay tuned; this tutorial teaches you how to enable password writeback step by step.

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following:

  • An Azure AD tenant – Register a free account if you don’t have one.
  • An on-premises Active Directory environment already configured with the latest Azure AD Connect – This tutorial uses a Windows Server 2019 Datacenter with Azure AD Connect 2.1.15.0.
  • The Self-Service Password Reset feature is already enabled in your Azure AD tenant.

Checking Password Writeback Support

Before enabling password writeback, you must ensure that all the necessary conditions are met. Not all Azure AD tenants support password writeback to on-premises AD. Follow the succeeding section to check and confirm password writeback eligibility and support.

The primary condition to enable password writeback is the Azure AD Premium license.

To check whether you have an Azure AD P1 or P2 license:

1. Open your favorite web browser, and log in to the Azure Active Directory admin center.

2. Next, click the Azure Active Directory → Overview blade.

You will see Azure AD Premium P1 or Azure AD Premium P2, similar to the screenshot below.

Checking for Azure AD Premium License from the AAD admin center
Checking for Azure AD Premium License from the AAD admin center

3. Alternatively, open PowerShell as admin and run the Connect-AzureAD command below to connect to the Azure Active Directory first.

Connect-AzureAD

4. Now, run either of the following commands to list your tenant’s Azure AD Premium license.

(Get-AzureADSubscribedSku).ServicePlans | Where-Object {$_.ServicePlanName -like "AAD_PREMIUM*"}
(Get-AzureADTenantDetail).AssignedPlans | Where-Object {$_.Service -eq 'AADPremiumService'}

The table below shows the license information about the Azure AD Premium.

Service Plan IDLicense NameGet-AzureADSubscribedSkuGet-AzureADTenantDetail
41781fb2-bc02-4b7c-bd55-b576c07bb09dAzure AD Premium P1AAD_PREMIUMAADPremiumService
eec0eb4f-6444-4f95-aba0-50c24d67f998Azure AD Premium P1AAD_PREMIUM_P2AADPremiumService

The screenshot below confirms that this tenant has an Azure AD Premium P2 license.

Checking for Azure AD Premium License from the AAD PowerShell
Checking for Azure AD Premium License from the AAD PowerShell

Finding the Azure AD Connect On-Premises Directory Account

When you installed and configured Azure AD Connect, the installation process automatically created a forest login account. This account must have specific permissions for the password writeback to work properly.

If you don’t know the current Azure AD Connect domain login account:

Open PowerShell as admin, and run the below commands to perform the following:

  • IImport (Import-Module) the AdSyncConfig module. This module is included in Azure AD Connect, located on C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1.
Import-Module 'C:\\Program Files\\Microsoft Azure Active Directory Connect\\AdSyncConfig\\AdSyncConfig.psm1'
Get-ADSyncADConnectorAccount

You’ll get the following result, showing the ADConnectorAccountName property contains the Azure AD Connector account name.

Getting the Azure AD Connector account name
Getting the Azure AD Connector account name

Configuring Password Writeback Permissions

Azure AD Connector account must have the following permissions to the on-premises Active Directory domain.

  • Reset password
  • Write lockoutTime
  • Write pwdLastSet
  • Unexpire Password on each domain root in the forest.

The good news is that you don’t need to set these permissions manually. The AdSyncConfig module includes a cmdlet called Set-ADSyncPasswordWritebackPermissions that conveniently sets all the necessary permissions.

To set the password writeback permissions, run the below command in PowerShell. Ensure to replace the ADConnectorAccountName and ADConnectorAccountDomain values with yours.

Set-ADSyncPasswordWritebackPermissions `
    -ADConnectorAccountName MSOL_27c8dae74e08 `
    -ADConnectorAccountDomain LAZYEXCHANGEADMIN.CYOU `
    -Confirm:$false

Wait for the command to finish quickly, and you’ll get a confirmation message, as shown below.

Setting the Password Writeback Permissions
Setting the Password Writeback Permissions

Enabling Password Writeback in Azure AD Connect

Now that you’ve confirmed your Azure AD tenant’s password writeback eligibility and configured password writeback permissions. But is that it? Well, not close enough. The next step is enabling password writeback in Azure AD Connect.

1. Open Azure AD Connect on your server.

Opening Azure AD Connect
Opening Azure AD Connect

2, On the Welcome to Azure AD Connect page, click Configure.

Skipping past the welcome page
Skipping past the welcome page

3. On the Additional tasks page, click Customize synchronization options → Next.

Choosing to customize synchronization
Choosing to customize synchronization

4. Now, on the Connect to Azure AD page, type your global administrator or hybrid identity administrator credentials and click Next.

Providing your Azure AD credentials
Providing your Azure AD credentials

5. Don’t change anything on the Connect your directories page and click Next.

Keeping On-Premises directory information intact
Keeping On-Premises directory information intact

6. Keep the defaults in the Domain and OU Filtering page to sync with all domains and OUs, and click Next.

Keeping domain and OU filtering settings on default
Keeping domain and OU filtering settings on default

7. On the Optional features page, tick the Password writeback feature since you’re enabling the password writeback, and click Next.

Enabling the password writeback feature
Enabling the password writeback feature

8. Leave the Start synchronization process box checked, and click Configure to start the synchronization as soon as the configuration completes.

Finalizing the Azure AD Connect configuration
Finalizing the Azure AD Connect configuration

As you can see below, the configuration enables the password writeback feature.

Viewing the configuration status
Viewing the configuration status

9. Lastly, wait for the configuration to finish and click Exit to close Azure AD Connect.

Closing Azure AD Connect
Closing Azure AD Connect

Enabling Password Writeback in Azure Active Directory

You’ve enabled password writeback in Azure AD Connect, but you must also ensure that password writeback is enabled in Azure Active Directory.

Open the Azure Active Directory admin center in your web browser.

Now, enable password writeback with the following:

  • Click Azure Active DirectoryPassword ResetOn-Premises Integration.
  • Enable the Write back passwords to your on-premises directory and Allow users to unlock accounts without resetting their password options.

Note: The Allow users to unlock accounts without resetting their password feature is not mandatory for password writeback to work. This feature is optional and only applicable to give users the option to unlock their accounts without resetting their passwords.

  • Lastly, click on the Save button to save the changes.
Enabling password writeback in Azure AD
Enabling password writeback in Azure AD

Note: As of this writing, there is no dedicated PowerShell cmdlet to enable the password writeback feature in Azure AD.

Testing Password Writeback

After enabling the password writeback feature, you must test the user experience to ensure everything is in good shape.

The Azure AD password writeback feature enables your hybrid users to perform password change and reset actions. Follow the steps in the succeeding sections to test both.

The following sections use a hybrid / on-premises sync-enabled account called [email protected] to log in to Azure AD.

Viewing hybrid user accounts in Azure AD
Viewing hybrid user accounts in Azure AD

Password Change

Performing a password change is for users who know their old passwords and want to change them.

1. Navigate to the My Account page in your web browser.

2. Log in using a non-administrator hybrid user account.

Signing in as a hybrid user
Signing in as a hybrid user

3. On the My Account page, click the CHANGE PASSWORD link to initiate changing the account’s password.

Click the change password link
Click the change password link

4. Now, type your old password in the Old password field and your new password in the Create new password, and Confirm new password fields.

Click on Submit once you’re happy with the new password to change the account’s password.

Creating a new password
Creating a new password

Since Azure AD will write the password back, the new password is subject to the password requirements policy in your on-premises AD.

If the new password is unacceptable, you’ll get the error below.

Getting an error while changing password
Getting an error while changing password

Password Reset

On the other hand, the password reset action does not require your old password. This action is best if you forgot your password or your account is locked.

Note: Resetting a password using the self-service password reset in Azure AD automatically unlocks the user account.

1. Open a web browser and navigate to the self-service password reset page.

2. Enter your username and the captcha code and click Next.

Entering your user account
Entering your user account

3. Select either of the options for getting back to your account:

  • I forgot my password – This option lets you reset your password
  • I know my password, but still can’t sign in – This option unlocks your account instead of resetting your password.

In this example, select the I forgot my password option and click Next to initiate resetting your password.

Initiating password reset
Initiating password reset

4. Now, specify the verification method information. The verification methods are what the users registered when they were first enabled for the self-service password reset.

In this example, the verification method is via text message.

Choose the account verification method
Choose the account verification method

5. Look for the verification code sent to your phone, input the code in the empty field below, and click Next.

If the verification code is valid, your browser redirects to a page where you can set your new password.

Complete the verification challenge
Complete the verification challenge

6. Finally, enter your new password in both fields and click Finish to finalize resetting your password.

Entering your new password
Entering your new password

If the password reset is successful, you’ll get a confirmation message, as shown below.

Confirming the password reset is successful
Confirming the password reset is successful

Like the password change action, resetting the password also adheres to the password policy in your on-premises AD.

Conclusion

Enabling password writeback in a hybrid environment is a significant step toward keeping passwords in sync between your on-premises AD and Azure AD. In this tutorial, you’ve gone through how users can change or reset their password or unlock their account directly in Office 365.

This task may be daunting at first. But, as this tutorial demonstrated, implementing password writeback is not complicated. So long as you meet the requirements, enabling password writeback is a breeze.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!