In the previous blog post I showed you how to enable and use the Self Service Password Reset (SSRP) tool as part of Azure AD Premium for users to reset their passwords themselves.
In this blog post I’ll discuss the option to implement password writeback to have passwords that are changed using the SSRP tool synchronized back to your on-premises Active Directory
Office 365 password writeback has the following prerequisites:
- Have Azure Active Directory Premium implemented in your Office 365 tenant.
- Configured the Self Service Password Reset option in your tenant.
- You have Windows 2008 or higher Domain Controllers in your on-premises Active Directory. For Windows 2008 or Windows 2008 R2 Domain Controllers you also need to have KB2386717 installed.
- You have Azure AD Connect (version 1.0.0419.0911 or higher) in your organization for synchronizing your on-premises Active Directory with Office 365. The original DirSync tool is no longer supported.
Configure Password Writeback
To configure Azure Active Directory password writeback logon to the server where you’ve AADConnect installed and start the Azure AD Connect configuration tool. On the initial opening page, select the 2nd option, Customize Synchronization Options and click Next.
In the following windows, enter the Directory Synchronization service account in Office 365 (like email@example.com) and the Directory Synchronization service account in your on-premises Active Directory (like firstname.lastname@example.org). Click Next (two times).
The wizard will read the configuration from the local store, so Domain and OU filtering should be as originally configured, something like the following figure:
In the following window you’ll all available options. Earlier I had configured Exchange Hybrid deployment and Password hash synchronization, so this matches my deployment. Check the Password writeback option and click Next to continue.
At the Ready to configure page, leave the Start the synchronization process as soon as the configuration completes checked and click install to reconfigure the AADConnect configuration.
When the configuration is complete a summary is shown.
Click Exit to exit the wizard, or click on the respective Learn more option to get more information about these topics from the Microsoft website.
You can check the eventlog for a successful change, look for EventID 31005 to make sure the it shows onboarding completed.
Note. It is obvious that the Azure AD Connect server should be able to connect to Azure Active Directory, this connection takes place over port 443 (standard HTTPS port).
The last step is to assign the appropriate permissions to the user account that’s the Azure AD Connect service is using to access the on-premises Active Directory. That’s the email@example.com account I mentioned earlier in this article.
This account should have the following permissions:
- Reset Password.
- Change Password.
- Write Permissions on lockoutTime property.
- Write Permissions on pwdLastSet property.
If you omit this step, password writeback will appear to run correctly, but when users try to reset their password the actual writeback will fail.
To assign these permissions, open Active Directory Users and Computers (don’t forget to select the Advanced Features option), select Security and click Advanced.
On the permissions tab click Add, select the service account account that Azure AD Connect is using and check the Change password and Reset password checkboxes.
Scroll down and check the Write lockout time checkbox:
Scroll down even further and check the Write pwdLastSet checkbox. When set, click OK, click Apply, click Yes in the Permissions warning dialog and click OK twice to close the permissions window.
Your password writeback configuration should now be correctly stored.
Testing Password writeback
To change your password, and thus write it back to on-premises Active Directory you can navigate to the following URL: https://passwordreset.microsoftonline.com. The process is identical to changing the password using the Self Service Password Reset (SSPR) tool as discussed in the previous blog post.
So, get back in your account and enter a captcha code:
Select which option you prefer (text message, call to phone or message to alternate email address) and enter the validation code. Once validated you can enter a new password.
Click Finish and close the browser.
When you check the eventlog on the Azure AD Connect server you should see an event with ID 31002, showing a successful password change:
Now you can logon to your Exchange Online using your new password, and you’ll find a message that your password is changed.
In this blogpost I’ve shown you how to implement password writeback when using Azure Active Directory Premium. It is not a lot of work, most of the work is done with the SSPR tool preparations which was explained in the previous blog post.
The only thing you have to be aware of is that you need Azure AD Premium, Azure AD Connect for Directory Synchronization and that the service account needs sufficient permissions to writeback the passwords.
More information information regarding passwords, password writeback and Azure AD Connect can be found on the following locations:
- Azure AD Connect sync: Attributes synchronized to Azure Active Directory – https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-attributes-synchronized/
- Getting started with Password Management – https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-getting-started/
- Next steps and how to manage Azure AD Connect – https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-whats-next/
- Connect domain-joined devices to Azure AD for Windows 10 experiences – https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/
Fellow MVP Brian Reid:
- Configuring Writeback Permissions in Active Directory for Azure Active Directory Sync – http://c7solutions.com/2015/07/configuring-writeback-permissions-in-active-directory-for-azure-active-directory-sync
Fellow MVP Michael van Horenbeeck
- A Closer Look at Azure AD Connect – Part 1 – http://blog.enowsoftware.com/solutions-engine/a-closer-look-at-azure-ad-connect-–-part-1
- A Closer Look at Azure AD Connect – Part 2 – http://blog.enowsoftware.com/solutions-engine/a-closer-look-at-azure-ad-connect-–-part-2
- A Closer Look at Azure AD Connect – Part 3 – http://blog.enowsoftware.com/solutions-engine/a-closer-look-at-azure-ad-connect-–-part-3
- A Closer Look at Azure AD Connect – Part 4 – http://blog.enowsoftware.com/solutions-engine/a-closer-look-at-azure-ad-connect-–-part-4
- A Closer Look at Azure AD Connect – Part 5 – http://blog.enowsoftware.com/solutions-engine/a-closer-look-at-azure-ad-connect-–-part-5