Office 365 Password writeback

In the previous blog post I showed you how to enable and use the Self Service Password Reset (SSRP) tool as part of Azure AD Premium for users to reset their passwords themselves.

In this blog post I’ll discuss the option to implement password writeback to have passwords that are changed using the SSRP tool synchronized back to your on-premises Active Directory

Office 365 password writeback has the following prerequisites:

  • Have Azure Active Directory Premium implemented in your Office 365 tenant.
  • Configured the Self Service Password Reset option in your tenant.
  • You have Windows 2008 or higher Domain Controllers in your on-premises Active Directory. For Windows 2008 or Windows 2008 R2 Domain Controllers you also need to have KB2386717 installed.
  • You have Azure AD Connect (version 1.0.0419.0911 or higher) in your organization for synchronizing your on-premises Active Directory with Office 365. The original DirSync tool is no longer supported.

Configure Password Writeback

To configure Azure Active Directory password writeback logon to the server where you’ve AADConnect installed and start the Azure AD Connect configuration tool. On the initial opening page, select the 2nd option, Customize Synchronization Options and click Next.


Continue reading Office 365 Password writeback

Implement Self Service Password Reset (SSRP)

In the previous blogpost I have discussed how to enable Azure Active Directory Premium in your tenant, in this post I’ll discuss the next prerequisite for the password writeback option, which is Self Service Password Reset (SSRP).

Enable Self Service Password Reset

When Azure AD Premium is enabled you’ll see a lot of new features in the Azure Portal. Obviously, the Self Service Password reset is disabled.


Continue reading Implement Self Service Password Reset (SSRP)

Upgrade to Azure Active Directory Premium

Recently I was working with a customer who wanted to move from Exchange 2010 on-premises to Exchange Online. This customer had a lot of Mac clients (both internally and externally). Since Mac clients are not a member of the Active Directory domain I asked how these users changed their Domain password. “Using OWA” was the answer, which makes sense.

This poses a problem in Office 365, since the change password feature is not available in Exchange Online (nor in Exchange 2013/2016 on premises BTW). I have to admit, you can change a password in the Microsoft Online Portal, but this only works when using Cloud Identities, and not when you’re synchronizing user account with their password from an on-premises Active Directory.

One nice feature in Office 365, or more specifically in Azure Active Directory is the option to implement Password writeback. This way users can change their password in Office 365, and the new password will be synchronized to your on-premises Active Directory. This is not only very interesting for customers using Mac clients, but also for customer that have (a lot of) users working remotely, without direct access to on-premises Active Directory.

Activating password writeback consists of two steps:

  • Implementing self-service password reset in Office 365.
  • Implementing password writeback.

To enable the self-service password reset functionality you need an Azure AD Basic or Azure AD Premium subscription. An overview of Azure AD options is available on the Azure Active Directory Pricing page. Continue reading Upgrade to Azure Active Directory Premium

Upgrade Azure Active Directory Synchronization to AADConnect

The Microsoft Directory Synchronization has been available in a variety of versions and names:

  • DirSync (the original).
  • Azure Active Directory Sync (AADSync).
  • Azure Active Directory Connect (AADConnect).

Each version of the tool had a number of releases, for the original DirSync for example there were 14 different releases as can be seen here. Similar information for AADSync (5 releases) can be found here, and for AADConnect (12 releases) you can find it here.

In my test environment (Exchange hybrid) I’m currently running AADSync 1.0.491.413. Since the current (as of March 2016) version is AADConnect it’s time to upgrade J

When upgrading from a previous version there are two options:

  • In-place upgrade – this is the recommended way if the upgrade time takes less than three hours.
  • Parallel upgrade – This is the recommended way if the upgrade time takes more than three hours.

Why three hours? The Directory Synchronization runs every three hours. It is also estimated that if you have more than 50,000 objects to synchronize, the upgrade will take more than 3 hours.

Continue reading Upgrade Azure Active Directory Synchronization to AADConnect

Delegated Mailbox Permissions cross-premises

This is one of the most requested features in an Exchange hybrid scenario (i.e. Exchange Online combined with Exchange on-premises) and as of early February 2016 it is finally officially supported: Cross premises Full Access Permissions.

This means that if you have a manager’s Mailbox on-premises, and an assistant Mailbox in Exchange Online, the assistant can open the manager’s Mailbox. This works both ways, so if the manager’s Mailbox is in Exchange Online and the assistant’s Mailbox is in Exchange on-premises the results are the same.

There are some caveats however:

  • This only works when Full Access permissions are granted, and this is achieved using the Exchange Admin Center or Exchange Management Shell in Exchange Online.
  • Send-As, Receive-As and Send-on-behalf-of permissions are not supported cross-premises.
  • Your Outlook 2013 should be patched with at least the November 2015 update.
  • The first time users open a Mailbox in the other organization they might see a credentials pop-up

The people picker in in the EAC in Exchange Online supports adding Mail-Enabled Users (MEU) and regular Mailboxes, so you can use EAC in Exchange Online to add cross-premises permissions. The EAC in Exchange 2013/2016 on-premises only supports adding Mailboxes, so the online version of EAC need to be used.

More information can be found on the following Microsoft articles: