Password Writeback isn’t enabled by default in an Azure AD Hybrid environment. Password changes or resets need to be done on-premise and can’t be done in Office 365. For the user experience, it’s more convenient that they can reset or change their password also in Office 365.
To accomplish this, we will need to enable Password Writeback. This way password changes made in Azure AD are synchronized back to your local Active Directory. It also allows users to use the Microsoft 36 Self Service Password Reset feature.
In this article, we are going to take a look at what is required to enable password write-back and how to enable it.
Password Writeback License Requirements
Before we are going to take a look at how to enable password write-back we first need to look at the license requirements. Because to use the feature you will need to have at least Azure AD Premium P1 plan in your Microsoft 365 license.
The plan can be bought separately as an add-on, but it’s also part of the following license plans:
- Microsoft Business Premium
- Enterprise Mobility + Security E3 and E5 add-on
- Microsoft 365 E3 and E5
- Microsoft 365 F1 and F3
Without Azure Premium P1 or P2, you can’t use the password writeback feature nor enable Self Service Password Reset. You can find a complete overview of all Microsoft 365 plans here.
Configure Password Writeback
Time needed: 10 minutes
To configure Password Writeback for Azure AD we will need to have access to the Azure Active Directory and the Azure AD Connect tool.
- Open Azure AD Connect
Open Azure AD connect on the server and click Configure
- Customize synchronization options
Select the additional task Customize Synchronization Options and click Next
- Connect to Azure AD
You will now need to log in to Azure AD. Use your Azure AD Global Administrator account for this.
- Connect your directories and Domain and OU filtering
Just click Next twice, we are not going to add or remove any OU’s or domains.
- Optional Features
On the step Optional Features, we are going to enable Password Writeback and click Next
- Finish the configuration in Azure AD Connect
The last page will show a summary of changes that we made, it should only list:
– Enable Password Writeback
– Configure synchronization services on this computer
Click configure to apply the changes. After a couple of minutes, you should see a Configuration Completed page. - Open portal.azure.com
Next, we need to enable the write-back feature in Azure AD.
– Go to portal.azure.com
– Open the Azure Active Directory
– Click on Password reset - Check if Password Writeback is enabled
Azure AD should automatically detect that you have enabled password writeback in Azure AD Connect. You can check it under the On-premises integration:
- Check/enable Self service password reset
Also, self service password reset should now be enabled for your users. Click on Properties to check the feature:
The Password Writeback feature is now enabled in Azure AD. You users can now reset their password from within Office 365.
Note
Good to know is when a user resets their password through Azure AD then they still need to comply with your local password policy. And not the default Azure AD password policy.
Wrapping Up
The password writeback features make resetting and changing passwords a lot more convenient for your users. Make sure you have the correct Microsoft 365 license with Azure Premium P1 at least, otherwise you can’t enable the feature in Azure AD.
If you have any questions, just drop a comment below.
Once we perform the initial AD Azure AD sync with password writeback; the AD credentials will overwrite Azure AD credentials. Is there any way to flip it around so Azure AD credentials are written to on-prem AD upon initial sync?
Not that I am aware of. Also if you check the docs, it doesn’t mention anything about setting the source for the password sync.
I can reset user password from azure, but with admins users from my AD I can’t, there is something more to apply for this users?
You should be able to change the password of admin account in the cloud, but you can’t perform a reset on protected accounts. More info here.
In a case where you are trying to change a password of a user account at the same from the cloud and onprem which one will have priority?
Thank you so much.
Passwords changed in Azure AD are written back under 500ms. So the change you change the password at the exact same time is small.
It is possible to change attributes like department, job title on azure sending it onprem using writeback?
Nope. With a hybrid environment, you only manage some settings in the local active directory.
Every user need minimum Azure AD P1 to use the SSPR, and not only one license to enable SSPR for the Tenant.
Also, a synced account cant change password without AAD P1 since password writeback is a premium feature.
Is that correct?
Yes, both are correct. Every user needs to have a license that includes Azure AD P1. Writeback won’t work without it