{"id":4404,"date":"2022-10-25T08:04:32","date_gmt":"2022-10-25T15:04:32","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4404"},"modified":"2022-10-25T08:04:33","modified_gmt":"2022-10-25T15:04:33","slug":"how-to-enable-azure-ad-self-service-and-password-writeback-to-an-on-premises-environment","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4404","title":{"rendered":"How to Enable Azure AD Self-service and Password Writeback to an On-premises Environment"},"content":{"rendered":"\n<p>With Azure Active Directory (Azure AD) self-service password reset (SSPR), users can update their password or unlock their account using a web browser. We recommend this video on&nbsp;<a href=\"https:\/\/www.youtube.com\/watch?v=rA8TvhNcCvQ\">How to enable and configure SSPR in Azure AD<\/a>. In a hybrid environment where Azure AD is connected to an on-premises Active Directory Domain Services (AD DS) environment, this scenario can cause passwords to be different between the two directories.<\/p>\n\n\n\n<p>Password writeback can be used to synchronize password changes in Azure AD back to your on-premises AD DS environment. Azure AD Connect provides a secure mechanism to send these password changes back to an existing on-premises directory from Azure AD.<\/p>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>This tutorial shows an administrator how to enable self-service password reset back to an on-premises environment. If you&#8217;re an end user already registered for self-service password reset and need to get back into your account, go to&nbsp;<a href=\"https:\/\/aka.ms\/sspr\">https:\/\/aka.ms\/sspr<\/a>.<\/p>\n\n\n\n<p>If your IT team hasn&#8217;t enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.<\/p>\n\n\n\n<p>In this tutorial, you learn how to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Configure the required permissions for password writeback<\/li><li>Enable the password writeback option in Azure AD Connect<\/li><li>Enable password writeback in Azure AD SSPR<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"prerequisites\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback#prerequisites\"><\/a>Prerequisites<\/h2>\n\n\n\n<p>To complete this tutorial, you need the following resources and privileges:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.<ul><li>If needed,&nbsp;<a href=\"https:\/\/azure.microsoft.com\/free\/?WT.mc_id=A261C142F\">create one for free<\/a>.<\/li><li>For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-sspr-licensing\">Licensing requirements for Azure AD SSPR<\/a>.<\/li><\/ul><\/li><li>An account with&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/roles\/permissions-reference#hybrid-identity-administrator\">Hybrid Identity Administrator<\/a>.<\/li><li>Azure AD configured for self-service password reset.<ul><li>If needed,&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr\">complete the previous tutorial to enable Azure AD SSPR<\/a>.<\/li><\/ul><\/li><li>An existing on-premises AD DS environment configured with a current version of Azure AD Connect.<ul><li>If needed, configure Azure AD Connect using the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-install-express\">Express<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-install-custom\">Custom<\/a>&nbsp;settings.<\/li><li>To use password writeback, domain controllers can run any supported version of Windows Server.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-account-permissions-for-azure-ad-connect\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback#configure-account-permissions-for-azure-ad-connect\"><\/a>Configure account permissions for Azure AD Connect<\/h2>\n\n\n\n<p>Azure AD Connect lets you synchronize users, groups, and credential between an on-premises AD DS environment and Azure AD. You typically install Azure AD Connect on a Windows Server 2016 or later computer that&#8217;s joined to the on-premises AD DS domain.<\/p>\n\n\n\n<p>To correctly work with SSPR writeback, the account specified in Azure AD Connect must have the appropriate permissions and options set. If you&#8217;re not sure which account is currently in use, open Azure AD Connect and select the&nbsp;<strong>View current configuration<\/strong>&nbsp;option. The account that you need to add permissions to is listed under&nbsp;<strong>Synchronized Directories<\/strong>. The following permissions and options must be set on the account:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Reset password<\/strong><\/li><li><strong>Write permissions<\/strong>&nbsp;on&nbsp;<code>lockoutTime<\/code><\/li><li><strong>Write permissions<\/strong>&nbsp;on&nbsp;<code>pwdLastSet<\/code><\/li><li><strong>Extended rights<\/strong>&nbsp;for &#8220;Unexpire Password&#8221; on the root object of&nbsp;<em>each domain<\/em>&nbsp;in that forest, if not already set.<\/li><\/ul>\n\n\n\n<p>If you don&#8217;t assign these permissions, writeback may appear to be configured correctly, but users encounter errors when they manage their on-premises passwords from the cloud. When setting &#8220;Unexpire Password&#8221; permissions in Active Directory, it must be applied to&nbsp;<strong>This object and all descendant objects<\/strong>,&nbsp;<strong>This object only<\/strong>, or&nbsp;<strong>All descendant objects<\/strong>, or the &#8220;Unexpire Password&#8221; permission can&#8217;t be displayed.<\/p>\n\n\n\n<p>&nbsp;Tip<\/p>\n\n\n\n<p>If passwords for some user accounts aren&#8217;t written back to the on-premises directory, make sure that inheritance isn&#8217;t disabled for the account in the on-prem AD DS environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly.<\/p>\n\n\n\n<p>To set up the appropriate permissions for password writeback to occur, complete the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>In your on-premises AD DS environment, open&nbsp;<strong>Active Directory Users and Computers<\/strong>&nbsp;with an account that has the appropriate&nbsp;<em>domain administrator<\/em>&nbsp;permissions.<\/li><li>From the&nbsp;<strong>View<\/strong>&nbsp;menu, make sure that&nbsp;<strong>Advanced features<\/strong>&nbsp;are turned on.<\/li><li>In the left panel, right-select the object that represents the root of the domain and select&nbsp;<strong>Properties<\/strong>&nbsp;&gt;&nbsp;<strong>Security<\/strong>&nbsp;&gt;&nbsp;<strong>Advanced<\/strong>.<\/li><li>From the&nbsp;<strong>Permissions<\/strong>&nbsp;tab, select&nbsp;<strong>Add<\/strong>.<\/li><li>For&nbsp;<strong>Principal<\/strong>, select the account that permissions should be applied to (the account used by Azure AD Connect).<\/li><li>In the&nbsp;<strong>Applies to<\/strong>&nbsp;drop-down list, select&nbsp;<strong>Descendant User objects<\/strong>.<\/li><li>Under&nbsp;<em>Permissions<\/em>, select the box for the following option:<ul><li><strong>Reset password<\/strong><\/li><\/ul><\/li><li>Under&nbsp;<em>Properties<\/em>, select the boxes for the following options. Scroll through the list to find these options, which may already be set by default:<ul><li><strong>Write lockoutTime<\/strong><\/li><li><strong>Write pwdLastSet<\/strong><\/li><\/ul><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/media\/tutorial-enable-sspr-writeback\/set-ad-ds-permissions.png#lightbox\"><\/a><\/li><li>When ready, select&nbsp;<strong>Apply \/ OK<\/strong>&nbsp;to apply the changes.<\/li><li>From the&nbsp;<strong>Permissions<\/strong>&nbsp;tab, select&nbsp;<strong>Add<\/strong>.<\/li><li>For&nbsp;<strong>Principal<\/strong>, select the account that permissions should be applied to (the account used by Azure AD Connect).<\/li><li>In the&nbsp;<strong>Applies to<\/strong>&nbsp;drop-down list, select&nbsp;<strong>This object and all descendant objects<\/strong><\/li><li>Under&nbsp;<em>Permissions<\/em>, select the box for the following option:<ul><li><strong>Unexpire Password<\/strong><\/li><\/ul><\/li><li>When ready, select&nbsp;<strong>Apply \/ OK<\/strong>&nbsp;to apply the changes and exit any open dialog boxes.<\/li><\/ol>\n\n\n\n<p>When you update permissions, it might take up to an hour or more for these permissions to replicate to all the objects in your directory.<\/p>\n\n\n\n<p>Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for&nbsp;<em>Minimum password age<\/em>&nbsp;must be set to 0. This setting can be found under&nbsp;<strong>Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies<\/strong>&nbsp;within&nbsp;<code>gpmc.msc<\/code>.<\/p>\n\n\n\n<p>If you update the group policy, wait for the updated policy to replicate, or use the&nbsp;<code>gpupdate \/force<\/code>&nbsp;command.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>If you need to allow users to change or reset passwords more than one time per day,&nbsp;<em>Minimum password age<\/em>&nbsp;must be set to 0. Password writeback will work after on-premises password policies are successfully evaluated.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"enable-password-writeback-in-azure-ad-connect\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback#enable-password-writeback-in-azure-ad-connect\"><\/a>Enable password writeback in Azure AD Connect<\/h2>\n\n\n\n<p>One of the configuration options in Azure AD Connect is for password writeback. When this option is enabled, password change events cause Azure AD Connect to synchronize the updated credentials back to the on-premises AD DS environment.<\/p>\n\n\n\n<p>To enable SSPR writeback, first enable the writeback option in Azure AD Connect. From your Azure AD Connect server, complete the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to your Azure AD Connect server and start the&nbsp;<strong>Azure AD Connect<\/strong>&nbsp;configuration wizard.<\/li><li>On the&nbsp;<strong>Welcome<\/strong>&nbsp;page, select&nbsp;<strong>Configure<\/strong>.<\/li><li>On the&nbsp;<strong>Additional tasks<\/strong>&nbsp;page, select&nbsp;<strong>Customize synchronization options<\/strong>, and then select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Connect to Azure AD<\/strong>&nbsp;page, enter a global administrator credential for your Azure tenant, and then select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Connect directories<\/strong>&nbsp;and&nbsp;<strong>Domain\/OU<\/strong>&nbsp;filtering pages, select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Optional features<\/strong>&nbsp;page, select the box next to&nbsp;<strong>Password writeback<\/strong>&nbsp;and select&nbsp;<strong>Next<\/strong>.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/media\/tutorial-enable-sspr-writeback\/enable-password-writeback.png\" alt=\"Configure Azure AD Connect for password writeback\"><\/li><li>On the&nbsp;<strong>Directory extensions<\/strong>&nbsp;page, select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Ready to configure<\/strong>&nbsp;page, select&nbsp;<strong>Configure<\/strong>&nbsp;and wait for the process to finish.<\/li><li>When you see the configuration finish, select&nbsp;<strong>Exit<\/strong>.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"enable-password-writeback-for-sspr\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback#enable-password-writeback-for-sspr\"><\/a>Enable password writeback for SSPR<\/h2>\n\n\n\n<p>With password writeback enabled in Azure AD Connect, now configure Azure AD SSPR for writeback. SSPR can be configured to writeback through Azure AD Connect sync agents and Azure AD Connect provisioning agents (cloud sync). When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well.<\/p>\n\n\n\n<p>To enable password writeback in SSPR, complete the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to the&nbsp;<a href=\"https:\/\/portal.azure.com\/\">Azure portal<\/a>&nbsp;using a Hybrid Identity Administrator account.<\/li><li>Search for and select&nbsp;<strong>Azure Active Directory<\/strong>, select&nbsp;<strong>Password reset<\/strong>, then choose&nbsp;<strong>On-premises integration<\/strong>.<\/li><li>Check the option for&nbsp;<strong>Write back passwords to your on-premises directory<\/strong>&nbsp;.<\/li><li>(optional) If Azure AD Connect provisioning agents are detected, you can additionally check the option for&nbsp;<strong>Write back passwords with Azure AD Connect cloud sync<\/strong>.<\/li><li>Check the option for&nbsp;<strong>Allow users to unlock accounts without resetting their password<\/strong>&nbsp;to&nbsp;<em>Yes<\/em>.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/media\/tutorial-enable-sspr-writeback\/enable-password-writeback.png\" alt=\"Configure Azure AD Connect for password writeback\"><\/li><li>When ready, select&nbsp;<strong>Save<\/strong>.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"clean-up-resources\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback#clean-up-resources\"><\/a>Clean up resources<\/h2>\n\n\n\n<p>If you no longer want to use the SSPR writeback functionality you have configured as part of this tutorial, complete the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to the&nbsp;<a href=\"https:\/\/portal.azure.com\/\">Azure portal<\/a>.<\/li><li>Search for and select&nbsp;<strong>Azure Active Directory<\/strong>, select&nbsp;<strong>Password reset<\/strong>, then choose&nbsp;<strong>On-premises integration<\/strong>.<\/li><li>Uncheck the option for&nbsp;<strong>Write back passwords to your on-premises directory<\/strong>.<\/li><li>Uncheck the option for&nbsp;<strong>Write back passwords with Azure AD Connect cloud sync<\/strong>.<\/li><li>Uncheck the option for&nbsp;<strong>Allow users to unlock accounts without resetting their password<\/strong>.<\/li><li>When ready, select&nbsp;<strong>Save<\/strong>.<\/li><\/ol>\n\n\n\n<p>If you no longer want to use the Azure AD Connect cloud sync for SSPR writeback functionality but want to continue using Azure AD Connect sync agent for writebacks complete the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to the&nbsp;<a href=\"https:\/\/portal.azure.com\/\">Azure portal<\/a>.<\/li><li>Search for and select&nbsp;<strong>Azure Active Directory<\/strong>, select&nbsp;<strong>Password reset<\/strong>, then choose&nbsp;<strong>On-premises integration<\/strong>.<\/li><li>Uncheck the option for&nbsp;<strong>Write back passwords with Azure AD Connect cloud sync<\/strong>.<\/li><li>When ready, select&nbsp;<strong>Save<\/strong>.<\/li><\/ol>\n\n\n\n<p>If you no longer want to use any password functionality, complete the following steps from your Azure AD Connect server:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to your Azure AD Connect server and start the&nbsp;<strong>Azure AD Connect<\/strong>&nbsp;configuration wizard.<\/li><li>On the&nbsp;<strong>Welcome<\/strong>&nbsp;page, select&nbsp;<strong>Configure<\/strong>.<\/li><li>On the&nbsp;<strong>Additional tasks<\/strong>&nbsp;page, select&nbsp;<strong>Customize synchronization options<\/strong>, and then select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Connect to Azure AD<\/strong>&nbsp;page, enter a global administrator credential for your Azure tenant, and then select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Connect directories<\/strong>&nbsp;and&nbsp;<strong>Domain\/OU<\/strong>&nbsp;filtering pages, select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Optional features<\/strong>&nbsp;page, deselect the box next to&nbsp;<strong>Password writeback<\/strong>&nbsp;and select&nbsp;<strong>Next<\/strong>.<\/li><li>On the&nbsp;<strong>Ready to configure<\/strong>&nbsp;page, select&nbsp;<strong>Configure<\/strong>&nbsp;and wait for the process to finish.<\/li><li>When you see the configuration finish, select&nbsp;<strong>Exit<\/strong>.<\/li><\/ol>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>Enabling password writeback for the first time may trigger password change events 656 and 657, even if a password change has not occurred. This is because all password hashes are re-synchronized after a password hash synchronization cycle has run.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"next-steps\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback#next-steps\"><\/a>Next steps<\/h2>\n\n\n\n<p>In this tutorial, you enabled Azure AD SSPR writeback to an on-premises AD DS environment. You learned how to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Configure the required permissions for password writeback<\/li><li>Enable the password writeback option in Azure AD Connect<\/li><li>Enable password writeback in Azure AD SSPR<\/li><\/ul>\n\n\n\n<p>Ref: https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/tutorial-enable-sspr-writeback<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With Azure Active Directory (Azure AD) self-service password reset (SSPR), users can update their password or unlock their account using a web browser. We recommend this video on&nbsp;How to enable and configure SSPR in Azure AD. In a hybrid environment where Azure AD is connected to an on-premises Active Directory Domain Services (AD DS) environment, <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4404\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1249,10,15],"tags":[1359,1358,1357],"class_list":["post-4404","post","type-post","status-publish","format-standard","hentry","category-azure-microsoft","category-microsoft","category-windows-servers","tag-enable-azure-ad-password-writeback","tag-enable-azure-ad-self-service","tag-enable-azure-ad-self-service-and-password-writeback"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4404"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4404\/revisions"}],"predecessor-version":[{"id":4405,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4404\/revisions\/4405"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}