Recently I was working with a customer who wanted to move from Exchange 2010 on-premises to Exchange Online. This customer had a lot of Mac clients (both internally and externally). Since Mac clients are not a member of the Active Directory domain I asked how these users changed their Domain password. “Using OWA” was the answer, which makes sense.
This poses a problem in Office 365, since the change password feature is not available in Exchange Online (nor in Exchange 2013/2016 on premises BTW). I have to admit, you can change a password in the Microsoft Online Portal, but this only works when using Cloud Identities, and not when you’re synchronizing user account with their password from an on-premises Active Directory.
One nice feature in Office 365, or more specifically in Azure Active Directory is the option to implement Password writeback. This way users can change their password in Office 365, and the new password will be synchronized to your on-premises Active Directory. This is not only very interesting for customers using Mac clients, but also for customer that have (a lot of) users working remotely, without direct access to on-premises Active Directory.
Activating password writeback consists of two steps:
- Implementing self-service password reset in Office 365.
- Implementing password writeback.
To enable the self-service password reset functionality you need an Azure AD Basic or Azure AD Premium subscription. An overview of Azure AD options is available on the Azure Active Directory Pricing page.
Upgrade to Azure AD Premium
If you have a free edition of Azure Active Directory (default with every Office 365 tenant) you have to upgrade to at least Azure Active Directory basic. To upgrade, you need to have an Azure Subscription. You can get an Azure subscription using your Office 365 tenant administrator to make sure the default Azure AD in your Azure subscription matches your Office 365 tenant. I’ve blogged about this before in the Manage Azure Active Directory in the Azure Portal blogpost.
Once logged on in the (new) Azure Portal, use the browse option to navigate to Active Directory as shown in the following screenshot:
When selecting Active Directory you are magically redirect to the old Azure Portal as can be seen in the following screenshot:
In the directory section of the portal, click Try Azure Active Directory Premium now (trial is valid for 30 days) and wait for Azure AD Premium to be activated:
Wait a minute or two and click the Click here to refresh option.
The next step is to assign users to Azure Active Directory premium. In the trial, you can assign 100 users to Azure AD Premium. In a production environment you have to pay per user, so be careful when assigning licenses.
In the Azure management portal, click Azure Active Directory Premium and click Assign users.
In the people picker, select All Users in the Show dropdown box to show all users in your default Azure Active Directory:
Select a user you want to add to Azure AD Premium (and thus give the user the option for Self Service Password Reset and Password writeback) and click Assign. After a few moments the users will be assigned to Azure AD Premium as shown in the following figure:
In this blogpost I discussed the prerequisites for Office 365 password writeback, enabling Azure Active Directory Premium. In trial environment you have Azure AD Premium for 100 seats, but after the trial you have to pay on a per-user basis so you might want to be selective in enabling certain features.
In the next blog post I’ll discuss how to setup Self Service Password Reset (SSRP).