Share via

Can I use password write-back without password sync in Microsoft Entra?

smith 20 Reputation points
2026-03-06T15:59:49.32+00:00

I’m trying to understand how password write-back works in Microsoft Entra. I’m a bit confused about whether it requires password synchronization or not.

If a user changes or resets their password in Microsoft Entra (for example using self-service password reset), can that password still be written back to our on-premises Active Directory without enabling password hash synchronization?

Or does password write-back only work when password sync is enabled?

I would appreciate it if someone could clarify this in simple terms.

Thank you!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. VEMULA SRISAI 11,810 Reputation points Microsoft External Staff Moderator
    2026-03-06T16:06:43.8766667+00:00

    Hello smith,

    Yes. Password writeback does not require Password Hash Synchronization (PHS) in Microsoft Entra.

    Password writeback works independently of the sign‑in method. If a user resets or changes their password in Microsoft Entra (for example using Self‑Service Password Reset), that password can be written back to on‑premises Active Directory even when PHS is not enabled. This is fully supported with Pass‑Through Authentication (PTA) and AD FS.

    Password writeback is a feature of Microsoft Entra Connect / Cloud Sync and uses a secure outbound channel to update the password directly in on‑prem AD. No password hashes are synced to the cloud as part of this process. Microsoft supports password writeback with PHS, PTA, and AD FS hybrid identity models.

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-06T16:00:02.4033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Password write-back does not require password hash synchronization to be enabled.

    In simple terms:

    • Password write-back is about taking a password change that happens in Microsoft Entra ID (for example via Self-Service Password Reset, SSPR) and writing that new password back to on-premises Active Directory in real time.
    • Password hash synchronization is about copying a hash of the on-premises password up to Microsoft Entra ID so users can sign in with that password in the cloud.

    From the documented behavior:

    • Microsoft Entra password write-back can be used without synchronizing passwords to the cloud. In a federated environment, Microsoft Entra SSO relies on the on-premises directory to authenticate the user, and password write-back still works without storing the password in Microsoft Entra ID.
    • Password write-back is supported with multiple hybrid identity models: password hash synchronization, pass-through authentication, and Active Directory Federation Services (AD FS). It is not tied exclusively to password hash synchronization.
    • When SSPR with write-back is enabled, password changes or resets performed in Microsoft Entra ID are written back to on-premises AD DS in real time, and on-premises password policies are enforced during the reset.

    So:

    • Enabling password hash synchronization is not mandatory for password write-back to function.
    • Password write-back works as long as the environment is configured with a supported hybrid identity model (PHS, PTA, or AD FS) and Microsoft Entra Connect or Entra Connect cloud sync is set up for write-back.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.