Azure AD | Password Writeback

You are here:
← All Topics

Steps to implement Azure AD Password Writeback

You will be prompted when try to reset AD Synced Users from Azure AD Portal – Password Writeback is NOT Enabled

Password Writeback is supported to work with ADFS, Password Hash Synchronization & Pass-Through Authentication with the following license

  • Azure AD Premium P1 or P2
  • Enterprise Mobility + Security E3 or E5
  • Microsoft 365 E3 or E5 (Not Office 365 E3 or E5 Plan)

Refer to the link below on How Password Writeback works in detail

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback#next-steps

Steps to enable Password Writeback with Password Hash Synchronization with Azure AD Premium P2 license in our lab

Enable Password Writeback option in Azure AD Connect

  1. Open Azure AD Connect and select Customize Synchronization Options

  1. Enter username for Global Administrator for Azure AD, and select Password writeback

Whitelist .azure.com & .microsoftazuread-sso.com if there is Proxy Server in between Azure AD Connect Server & Internet / Azure AD Cloud

Enable Password Writeback option in AzureAD

  1. Login to Azure Portal with Global Administrator Account
  2. Go to Azure Active Directory – Password Reset – On-Premises Integration and enable Allow Users to unlock accounts without resetting their password

  1. Go to Properties to enable Self-Service Password Reset Enabled and click save

User Experience

  1. User will be prompted to configure the basic information to enable Password Reset feature on their next login to Office 365 Portal

  1. Enter user’s personal phone no & Email address to receive a verification code

  1. Click Finish once user had completed the verification successfully

  1. Click on Change Your Password on the Top Right icon

  1. Enter existing / old password with the new password

  1. User should be able to login to Office 365 Portal with their new password now
  2. Logoff and Login back to user local workstation / laptop with the new Password reset in Office 365 Portal to verify that the Password is written back from Azure AD to Local AD successfully

Monitoring of Password Reset

  1. Verify the LastPasswordChangeTimeStamp with PowerShell
$User = Get-MsolUser -UserPrincipalName uat@aventislab.info | Select UserPrincipalName, LastDirSyncTime, LastPasswordChangeTimestamp

#Convert UTC Time to Local Time
$TimeZone_Malaysia = "Singapore Standard Time"
$CurrentTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById($TimeZone_Malaysia)
$LocalTime = [System.TimeZoneInfo]::ConvertTimeFromUtc($User.LastPasswordChangeTimestamp, $CurrentTimeZone)
$LocalTime

	Monday, 30 September, 2019 1:17:32 PM
  1. Check the users’ activities from Audit Logs

  1. Usage & Insights will provide additional on the usage of the Password Reset feature