How to Enable Password Writeback on Azure AD Connect. Do you manage a hybrid on-premises and Azure AD and wish to enable password reset writeback from Azure AD to the on-prem environment? This article is about how to Enable Password Writeback on Azure AD Connect (self service password reset SSPR).
Primarily, SSPR enables users to unlock their accounts or reset their passwords via a browser. However, allowing users to perform these tasks in Azure AD causes passwords to be different between the on-prem and Azure AD directories.
All in all, this is where password writeback comes in. Enabling the synchronization of password changes in Azure Active Directory (Azure AD) back to your on-premises Active Directory environment. Azure AD Connect allows you to securely synchronize passwords changed on Azure AD back to on premises AD.
In order to successfully enable password writeback, your Azure and on-prem AD must meet specific requirements. Let’s start with discussing the requirements.
Requirements to Enable Password Writeback on Azure AD Connect
1. Azure AD Tenant Licensing Prerequisites
Importantly, you must have a working Azure Active Directory tenant with either a Microsoft 365 Business Premium or Azure AD Premium P1 or P2 license. Review the licensing requirements for Azure AD self-service password reset (SSPR).
Please confirm your current license from Microsoft 365 admin center, Azure AD portal, or using PowerShell.
To view the license on your Microsoft 365 admin center, sign in to admin.microsoft.com. Then, click the menu icon (three horizontal lines on the top left).
Next, navigate to Billing => Licenses.
Basically, the Microsoft admin center displays all licenses (assigned and available) on your Office 365 tenant. The screenshot below shows I have the Microsoft 365 Business Basic and Microsoft 365 Business Standard licenses.
With my current licenses, I cannot configure password writeback. So, I must upgrade my licenses to configure this feature on my Office 365 tenant.
So, if your current license is lower than Microsoft 365 Business Premium, you must upgrade to this license before you proceed.
Earlier, I mentioned that you could also view licenses from the Azure portal. If you prefer working with the Azure portal, sign in to portal.azure.com.
Then, click Azure Active Directory => Billing => Licenses => All Products.
Finally, for this Azure AD tenant prerequisites subsection, if you prefer working with PowerShell, open PowerShell as administrator.
Then, run the following commands to display licenses available in your Azure or Office 365 tenant.
Install-Module MSOnline
Connect-MsolService
Get-MsolAccountSku
Well, the second command prompts you for a username and password. Enter your Office 365 or Azure portal account.
2. Account Permissions and GPO Requirements for Azure AD Password Writeback
Well, this article assumes that you have installed and setup Azure AD Connect. When you setup Azure AD connect, you specified an account that manages the synchronization between the on-prem and Azure AD environments.
This account must meet the requirements listed below:
- It must have the Write permissions on pwdLastSet and lockoutTime.
- Additionally, the account must have the Reset password permission.
- Finally, the account must have the extended Unexpired Password rights on the root domain of your forest.
Finally, for Azure AD Connect password writeback to work efficiently, you must set the Minimum password age to 0 in the group policy.
Next section walks you through the steps to configure these permissions.
Also Read
3. Configure the Azure AD Self-service Password Reset (SSPR)
Remember, this is an essential requirement for enabling Azure AD password writeback. The next section also show you how to complete this task.
4. On-premises AD Environment Prerequisites
Furthermore, the last requirement for configuring password writeback is having an existing on-premises Active Directory with the current version of Azure AD Connect installed and configured. If you need help installing and configuring Azure AD Connect, read our How to Install and Setup Azure AD Connect (Step by Step) guide.
Steps to Enable Password Writeback on Azure AD Connect
Having reviewed and ensured that your environments meet the prerequisites for configuring Azure AD password writeback, follow the steps below to enable the feature in your Azure AD environment.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
1. Configure Required Permission for the Azure AD Connect Account
Earlier, I outlined the permissions that the Azure AD Connect account must have for password writeback to work. To configure these permissions, follow the steps below.
1. In case you have forgotten the account you used to set up Azure AD Connect, sign in to the on-prem Domain Controller you installed AD Connect, and open the application.
On the first page of Azure AD Connect, click Configure. Then, select View or export current configuration and click Next.
The Review Your Solutions page displays the account in the ACCOUNT section. The page displays the name of the account you require after the backslash (\) of your AD domain name.
I have highlighted mine – MSOL_817b9d8947c2 – in the screenshot below. Note this account name and proceed with configuring the account permissions below.
Before you proceed, remember to click the Exit to close Azure AD Connect.
4. Next, right click the root of your AD domain and select Properties. Then, click the Security tab on your AD domain’s Properties sheet.
If you did not enable Advanced Features in step 3 above, the Security tab would NOT be available.
Follow the Next Steps below
5. On the Security tab of your AD Properties, click Advanced.
6. On the Permissions tab of the Advanced Security Settings page for your AD domain, click the Add button on the bottom left.
7. Select the Azure AD Connect account to assign the necessary permission by clicking “Select a Principal.”
8. Then, enter the account you noted in step 1 above and click the Check Names button. To confirm that the account name has been resolved (is available in AD), the account name is underlined.
To proceed, click OK.
9. Before configuring the permissions (step 10), confirm that the account is now displayed as the Principal. Then, in the Applies to drop-down list, select Descendant User objects.
10. Under Permissions, select the checkbox for Reset password.
11. Under Properties, select the checkboxes for Write lockoutTime and Write pwdLastSet. The Properties section has two columns.
The Write lockoutTime property is on the left column, while Write pwdLastSet is on the second column. I am not showing these properties in my screenshot below due to the number of properties in the list.
Note that the Properties section has a long list of items. So, you need to scroll down to find the above properties. Moreover, the properties may already be checked.
When you finish, click the OK.
13. While still on the Advanced Security Settings page for your AD domain, click the Add button on the bottom left.
14. Then, click Select a Principal on the Permission Entry for your domain name. Finally, follow the screenshots below to enter and select the Azure AD Connect account.
15. Once selected the Azure AD Connect account as your Principal, select This object and all descendant objects in the Applies to drop-down list.
16. Finally, under Permissions, select the box for Unexpire Password. After making your selection, click OK and Apply.
2. Update the Password Policies in the On-premises AD
The password policy in your on-premises AD may prevent Azure AD Connect from correctly writing back passwords to on-prem AD. To stop this from happening and allow password writeback to process accurately, you will need to modify the group policy for Minimum password age.
Specifically, you need to set the Minimum password age to 0. To set the Minimum password age policy in the GPO that applies to the domain, follow the steps below:
1. Open the Group Policy Management console by searching gpmc or opening it from Server Manager.
2. When GPMC opens, expand your AD domain. Then, right-click the GPO that applies to the domain and select Edit.
3. On the GPO edit window, navigate to the following section. Then, on the details pane, double-click Minimum password age.
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
4. Finally, when the Minimum password age policy opens for editing, modify the “Password can be changed after” to zero (0).
Setting this policy to zero means Azure AD Connect can change users’ passwords immediately via password writeback.
After setting the above value, click OK.
5. If you wish to force the policy to update immediately, open the command prompt and run the command below.
gpupdate /force
3. Enable Password Writeback in Azure AD Connect
Having configured all the required prerequisites, now enable password writeback in Azure AD Connect.
1. Log in to the AD you installed Azure AD Connect and open the application. Then, on the welcome page, click Configure.
2. Next, select “Customize Synchronization options” and click Next.
3. On the Connect to Azure AD page, the Azure username you used to set up AD Connect will be in the USERNAME field.
Enter the account’s password, click Next, and wait for Azure AD Connect to sign in to your Azure AD tenant.
Once the sign in is successful, click Next twice until you reach the Optional Features section of the Microsoft Azure Active Directory Connect wizard.
4. Check the Password Writeback checkbox in the Optional Features section and click Next.
5. Wait for the wizard to display the Ready to Configure screen, then click Configure and wait for the application to enable Password writeback.
6. Finally, click Exit on the “Configuration complete” page.
4. Enable Password Writeback for Self-service Password Reset (SSPR )
The final step to enabling password writeback is configuring SSPR in the Azure portal. Here are the steps.
1. Open portal.azure.com and sign in if you were not previously signed in on the browser. Then, click the menu on the top left and select Azure Active Directory.
2. On the Azure Active Directory sub-menu, scroll down to locate and click Password reset. Then, click On-premises integration.
If the user account signed in to the Azure portal is not assigned a minimum of a “Microsoft 365 Business Premium” license, you’ll receive an insufficient permission error.
3. Finally, on the On-premises integration page, check the Enable password writeback for synched users and Allow users to unlock accounts without resetting their password checkboxes – then click the Save button.
How to Enable Password Writeback on Azure AD Connect Conclusion
If you manage on-prem and Azure AD environments, enabling Azure Active Directory self-service password reset (SSPR) allows your users to reset their passwords via a browser. Unfortunately, this creates a problem where a user’s Azure AD password differs from the on-prem AD password.
Fortunately, enabling password writeback from Azure AD to on-premisses AD ensures that the change synchs back to the on-prem AD directory when users reset their password.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
