Site icon Windows Active Directory

Enable Azure AD Password Writeback: Step-by-step guide

Self-service password reset and password writeback : Simplified

The self-service password reset (SSPR) in Azure Active Directory (Azure AD), now known as Microsoft Entra ID,  lets users to reset or change their passwords on cloud. With the password writeback feature, the updated password in cloud, also gets written back in the on-premises active directory (AD) of the organization.

Why to enable password writeback?

Users will now have one less password to remember and hence are less likely to forget it. This synchronization is a zero-delay process that occurs in real-time, with a low bandwith usage and does not require any inbound firewall rules. The password is checked if it meets with Active Directory Domain Services [AD DS] Policies and if not, users are instantly notified. With its four-tiered security model and robust encryption protocols, it stands tall as a highly reliable and secure service. Read on to learn how you can enable the password writeback feature in Azure AD Connect, step-by-step:

Configure account permissions for Azure AD Connect  

  1. Login to your “Active Directory Users and Computers” with the Domain Administrator account credentials.

  2. Click “View” at the top and select “Advanced features” on the drop-down that appears.

  3. On the left panel, right-click on the root domain object and select “Properties”.

  4. Go to “Security” on the Properties window and click on “Advanced” in the bottom.

  5. In the Advanced Security settings window that opens, select “Permissions” > “Add”.

  6. Click on the Select a Principal option and select the domain account utilized for Azure AD Connect. The permissions will be applied to this account.

  7. Scroll down through the “Applies” field drop-down and click “Descendant User objects”.

  8. Under the Permissions section, mark the check the box next to “Reset password”.

  9. Under the Properties section below Permissions, check the boxes next to “WritelockoutTime” and “Write pwdLastSet”.

  10. Click “OK” or “Apply” option, whichever is available in the window.

A downtime of 60 minutes or more will be required to update permissions for all the objects in the directory.

Configure Azure AD Connect to enable password writeback

  1. Sign-in it your Azure AD Connect server and open the Azure AD Connect configuration wizard.

  2. On the Welcome page, select “Configure”.

  3. In the Additional tasks panel that opens, select “Customize synchronization option” > Next.

  4. In the Connect Azure AD section that opens, enter the global administrator account credentials in the password field and click “Next”.

  5. It may take a few seconds for the synchronization to occur. The Connect directories panel opens and click “Next”.

  6. The Domain/OU filtering panels appears and click “Next”.

  7. In the Optional features section, check the box next to “Password writeback” and click “Next”.

  8. The Ready to configure section that opens, select “Configure”. The process takes a while to complete.

  9. After process completion, click “Exit”.

Implement password writeback for self-service password reset  

  1. Sign-in to Azure portal using the Global Administrator account.

  2. Go to “Azure Active Directory”.

  3. On the left pane, go to “Password reset” > “On-premises integration”.

  4. Check the box next to “Enable password write back for synced users”.

  5. Check the box next to “Allow users to unlock accounts without resetting their password?”

  6. Select “Azure AD self-service password reset for password writeback” and click “Save”.

Conditions limiting password writeback In SSPR

Passwords that do not comply with the on-premises AD DS policies which covers complexity, history, or other restrictions are not written back. Passwords are never written back during unsupported end user operations – if the user tries resetting their password using PowerShell version 1, version 2, or the Microsoft Graph API. Passwords are also not written back during unsupported admin operations, in cases where the administrator tries resetting the end-user’s password using powerShell version 1, version 2, the Microsoft Graph API or Microsoft 365 admin center. Administrators cannot use password writeback for resetting their own password.

Besides, one of the major challenges faced is that, while password changes made in cloud get written back to on-premises AD, the feature does not work the other way around. However, you can deploy a one-stop solution to synchronize your AD domain passwords, as well as password changes not just to your AD account but across your accounts in Microsoft 365 and applications such as Salesforce, AD Lightweight Directory Services and Google Workspace. To learn more, click here.

Exit mobile version