Introduction
Azure AD Password Writeback is a feature that allows users to reset their passwords from the cloud and have those passwords written back to their on-premises Active Directory domain. To use this feature, a few prerequisites must be met.
Prerequisites
- Azure AD connect.
- Azure P1 or P2 licenses
- On-premises AD
- Hybrid AD joined.
- Azure AD sync with Password writeback
Step 1
This is my on-premises Active Directory which is synced with Azure Active Directory.
Step 2
This is my Azure Active Directory, and All users have an Azure Premium 2 license.
Step 3
Once you have configured Azure AD, connect Azure will automatically create one service account in your on-prem AD. That name will be MSOL.
You can find the user from your Active Directory users and computers.
Note: Make sure View Advanced features are enabled
Step 3
Double-click MSOL_beb54959f202 and select the Security tab.
Step 4
Add your MSOL user and select the appropriate field. And make sure the mentioned checkboxes are.
- Change Password
- Reset Password
- Write Lockout Time
- Write pwdLastSet
Group Policy Configuration
Step 1
Open Group Policy in your on-prem Active Directory
Step 2
I have renamed my default policy to Azure SSO
Select Computer Configuration>Policies>Windows Settings>Security Settings> Account policy>Password Policy
Note: This password policy will apply to on-premises users, and once users are synced to on-premises, and they will try to reset the password, this policy will be triggered on these passwords
Azure AD Configuration
Step 1
Make sure your Azure AD connects Password Writeback is enabled.
Open Azure AD Connect and check Password Writeback
Step 2
Select Password reset>Properties>Select your Azure AD user group. In my case, I have created SSPR and assigned AD P2 licenses to my users.
Step 3
Select On-premises integration. And make sure the checkboxes are and save it.
Self-Service Password Reset
Step 1
Now I'm going to reset my password.
Step 2
You can type the security code and click next.
Step 3
There are two options for you. In my case, I have chosen I forgot my password.
Step 4
Once you have done your Two-factor verification, you can create a new password and click finish.
Step 5
My password has been reset successfully.
Step 6
The same password I can use for my windows login credentials also.
Conclusion
This article taught us how to enable SSPR and Azure AD password writeback. This article taught us how to enable SSPR and Azure AD password writeback. If you have any questions, don't hesitate to contact me.
Thank you