Office 365 Password writeback

In the previous blog post I showed you how to enable and use the Self Service Password Reset (SSRP) tool as part of Azure AD Premium for users to reset their passwords themselves.

In this blog post I’ll discuss the option to implement password writeback to have passwords that are changed using the SSRP tool synchronized back to your on-premises Active Directory

Office 365 password writeback has the following prerequisites:

  • Have Azure Active Directory Premium implemented in your Office 365 tenant.
  • Configured the Self Service Password Reset option in your tenant.
  • You have Windows 2008 or higher Domain Controllers in your on-premises Active Directory. For Windows 2008 or Windows 2008 R2 Domain Controllers you also need to have KB2386717 installed.
  • You have Azure AD Connect (version 1.0.0419.0911 or higher) in your organization for synchronizing your on-premises Active Directory with Office 365. The original DirSync tool is no longer supported.

Configure Password Writeback

To configure Azure Active Directory password writeback logon to the server where you’ve AADConnect installed and start the Azure AD Connect configuration tool. On the initial opening page, select the 2nd option, Customize Synchronization Options and click Next.

image

In the following windows, enter the Directory Synchronization service account in Office 365 (like sa_dirsync@contoso.onmicrosoft.com) and the Directory Synchronization service account in your on-premises Active Directory (like sa_dirsync_local@contoso.com). Click Next (two times).

The wizard will read the configuration from the local store, so Domain and OU filtering should be as originally configured, something like the following figure:

image

In the following window you’ll all available options. Earlier I had configured Exchange Hybrid deployment and Password hash synchronization, so this matches my deployment. Check the Password writeback option and click Next to continue.

image

At the Ready to configure page, leave the Start the synchronization process as soon as the configuration completes checked and click install to reconfigure the AADConnect configuration.

image

When the configuration is complete a summary is shown.

image

Click Exit to exit the wizard, or click on the respective Learn more option to get more information about these topics from the Microsoft website.

You can check the eventlog for a successful change, look for EventID 31005 to make sure the it shows onboarding completed.

image

Note. It is obvious that the Azure AD Connect server should be able to connect to Azure Active Directory, this connection takes place over port 443 (standard HTTPS port).

The last step is to assign the appropriate permissions to the user account that’s the Azure AD Connect service is using to access the on-premises Active Directory. That’s the sa_dirsync_local@contoso.com account I mentioned earlier in this article.

This account should have the following permissions:

  • Reset Password.
  • Change Password.
  • Write Permissions on lockoutTime property.
  • Write Permissions on pwdLastSet property.

If you omit this step, password writeback will appear to run correctly, but when users try to reset their password the actual writeback will fail.

To assign these permissions, open Active Directory Users and Computers (don’t forget to select the Advanced Features option), select Security and click Advanced.

image

On the permissions tab click Add, select the service account account that Azure AD Connect is using and check the Change password and Reset password checkboxes.

image

Scroll down and check the Write lockout time checkbox:

image

Scroll down even further and check the Write pwdLastSet checkbox. When set, click OK, click Apply, click Yes in the Permissions warning dialog and click OK twice to close the permissions window.

Your password writeback configuration should now be correctly stored.

Testing Password writeback

To change your password, and thus write it back to on-premises Active Directory you can navigate to the following URL: https://passwordreset.microsoftonline.com. The process is identical to changing the password using the Self Service Password Reset (SSPR) tool as discussed in the previous blog post.

So, get back in your account and enter a captcha code:

image

Select which option you prefer (text message, call to phone or message to alternate email address) and enter the validation code. Once validated you can enter a new password.

image

Click Finish and close the browser.

When you check the eventlog on the Azure AD Connect server you should see an event with ID 31002, showing a successful password change:

image

Now you can logon to your Exchange Online using your new password, and you’ll find a message that your password is changed.

image

Summary

In this blogpost I’ve shown you how to implement password writeback when using Azure Active Directory Premium. It is not a lot of work, most of the work is done with the SSPR tool preparations which was explained in the previous blog post.

The only thing you have to be aware of is that you need Azure AD Premium, Azure AD Connect for Directory Synchronization and that the service account needs sufficient permissions to writeback the passwords.

More information information regarding passwords, password writeback and Azure AD Connect can be found on the following locations:

Microsoft:

Fellow MVP Brian Reid:

Fellow MVP Michael van Horenbeeck

2 thoughts on “Office 365 Password writeback”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s