Configure Password Writeback in Azure AD
In this post I will show you how to enable and configure password writeback in your Azure AD hybrid environment. By enabling password writeback feature you can synchronize password changes in Azure Active Directory back to your on-premises Active Directory environment.
To enable password writeback feature, we use Azure AD Connect tool to that provides secure mechanism to send password changes back to an existing on-premises directory from Azure AD. To know how the password writeback feature works, read this article.
Most of all ensure you always have the latest version of Azure AD Connect running. That’s an important point because the password writeback feature will stop working for Azure AD Connect versions 1.0.8641.0 and older than that.
So what happens when a user resets the password and what about password complexity ?. When a user resets the password, it is checked to ensure it meets your on-premises Active Directory policy before committing it to that directory. That includes the complexity, age, password filters that has been defined in local Active Directory.
If you haven’t enabled password writeback in Azure AD, you will see something similar shown in the below screenshot. When you click password reset – On-premises integration, it shows On-premises integration has not been enabled yet.
Table of Contents
- Azure AD Password Writeback Prerequisites
- Configure Password Writeback in Azure AD
- Enable password writeback option in SSPR
Azure AD Password Writeback Prerequisites
To use password writeback, you must have one of the following licenses assigned on your tenant.
- Azure AD Premium P1
- Azure AD Premium P2
- Enterprise Mobility + Security E3 or A3
- Enterprise Mobility + Security E5 or A5
- Microsoft 365 E3 or A3, Microsoft 365 E5 or A5, Microsoft 365 F1
- Microsoft 365 Business
Configure Password Writeback in Azure AD
First of all to configure password writeback, sign in to your Azure AD Connect server. Start the Azure AD Connect configuration wizard. On the Welcome page, select Configure.
Next on the Additional tasks page, select Customize synchronization options.
- On the Connect to Azure AD page, enter a global administrator credential, and then select Next.
- Click Next on the Connect directories and Domain/OU filtering pages.
- On the Optional features page, enable Password writeback and select Next.
Click Configure.
The Configuration is complete. You also see the message Azure AD connect configuration succeeded. The synchronization process has been initiated.
In the above steps you enabled the password writeback in Azure AD. In the next step we will enable password writeback option in SSPR.
Enable password writeback option in SSPR
- Open the Azure portal and sign in with a Global Administrator account.
- Go to Azure Active Directory and click on Password Reset.
- From the left pane, select On-premises integration.
- Set the option for Write back passwords to your on-premises directory to Yes.
- You can also set Allow users to unlock accounts without resetting their password to Yes.
- Finally click Save.
