How to enable Password Writeback in Azure AD

Password Writeback isn’t enabled by default in an Azure AD Hybrid environment. Password changes or resets need to be done on-premise and can’t be done in Office 365. For the user experience, it’s more convenient that they can reset or change their password also in Office 365.

To accomplish this, we will need to enable Password Writeback. This way password changes made in Azure AD are synchronized back to your local Active Directory. It also allows users to use the Microsoft 36 Self Service Password Reset feature.

In this article, we are going to take a look at what is required to enable password write-back and how to enable it.

Password Writeback License Requirements

Before we are going to take a look at how to enable password write-back we first need to look at the license requirements. Because to use the feature you will need to have at least Azure AD Premium P1 plan in your Microsoft 365 license.

The plan can be bought separately as an add-on, but it’s also part of the following license plans:

  • Microsoft Business Premium
  • Enterprise Mobility + Security E3 and E5 add-on
  • Microsoft 365 E3 and E5
  • Microsoft 365 F1 and F3

Without Azure Premium P1 or P2, you can’t use the password writeback feature nor enable Self Service Password Reset. You can find a complete overview of all Microsoft 365 plans here.

Configure Password Writeback

Time needed: 10 minutes

To configure Password Writeback for Azure AD we will need to have access to the Azure Active Directory and the Azure AD Connect tool.

  1. Open Azure AD Connect

    Open Azure AD connect on the server and click Configure

  2. Customize synchronization options

    Select the additional task Customize Synchronization Options and click Next

    configure password writeback

  3. Connect to Azure AD

    You will now need to log in to Azure AD. Use your Azure AD Global Administrator account for this.

  4. Connect your directories and Domain and OU filtering

    Just click Next twice, we are not going to add or remove any OU’s or domains.

  5. Optional Features

    On the step Optional Features, we are going to enable Password Writeback and click Next

    enable password writeback

  6. Finish the configuration in Azure AD Connect

    The last page will show a summary of changes that we made, it should only list:

    – Enable Password Writeback
    – Configure synchronization services on this computer

    Click configure to apply the changes. After a couple of minutes, you should see a Configuration Completed page.

    azure ad password writeback

  7. Open

    Next, we need to enable the write-back feature in Azure AD.
    – Go to
    – Open the Azure Active Directory
    – Click on Password reset

    Azure AD Password Reset

  8. Check if Password Writeback is enabled

    Azure AD should automatically detect that you have enabled password writeback in Azure AD Connect. You can check it under the On-premises integration:

    Azure AD Password Writeback

  9. Check/enable Self service password reset

    Also, self service password reset should now be enabled for your users. Click on Properties to check the feature:

    SSPR azure ad

The Password Writeback feature is now enabled in Azure AD. You users can now reset their password from within Office 365.


Good to know is when a user resets their password through Azure AD then they still need to comply with your local password policy. And not the default Azure AD password policy.

Wrapping Up

The password writeback features make resetting and changing passwords a lot more convenient for your users. Make sure you have the correct Microsoft 365 license with Azure Premium P1 at least, otherwise you can’t enable the feature in Azure AD.

If you have any questions, just drop a comment below.

10 thoughts on “How to enable Password Writeback in Azure AD”

  1. Once we perform the initial AD Azure AD sync with password writeback; the AD credentials will overwrite Azure AD credentials. Is there any way to flip it around so Azure AD credentials are written to on-prem AD upon initial sync?

  2. I can reset user password from azure, but with admins users from my AD I can’t, there is something more to apply for this users?

  3. In a case where you are trying to change a password of a user account at the same from the cloud and onprem which one will have priority?

    Thank you so much.

  4. Every user need minimum Azure AD P1 to use the SSPR, and not only one license to enable SSPR for the Tenant.
    Also, a synced account cant change password without AAD P1 since password writeback is a premium feature.
    Is that correct?

Leave a Comment