write back password

Question

write back password

Shahin Mortazave 491

Hi,

We have synced our on-prem users with Azure AD as part of our office 365. Now we want to set up the write back password policy so our users can change thier password when they are not at the office.

I have bought 5 licenses to run a test for only 5 users. Can we enable the write back password on our AAD and then enable the password write back in Azure only for a group of users without hindering the reset of users in the comapny?

Accepted answer

0 additional answers

Your answer

Answer 1

AmanpreetSingh-MSFT 56,866 Moderator

Hello @Shahin Mortazave

The Password Writeback feature is enabled by using AD Connect and it gets enabled for entire tenant. However, if you want to restrict only 5 users during test phase, you can add those users to a Group and add that group under SSPR as shown below:

a
In this case, only the members of this group can reset their passwords, which will be written back to On-premises Active Directory. Users, who are not part of the group can't reset their passwords. Hence password writeback won't happen for them.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Shahin Mortazave 491 Reputation points

2020-09-24T13:04:12.09+00:00

Hi,
Thanks for your erply,
If I undertood it correctly if we do add the 5 test users to a group and add that group to the selected group in azure ad then the reset of users will not be affected, is this correct?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-24T15:08:57.493+00:00

Hi @Shahin Mortazave It will not impact other synced users except those 5 test users. However, it may impact cloud only users based on your current configuration. Have you currently configured this feature for cloud only users? If yes, you can add 5 test users to the same group. If not, then there won't be any impact on cloud-only users as well.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-25T08:24:37.373+00:00

Hi @Shahin Mortazave Have you had a chance to test it out? Please let me know if you have any further question.
Shahin Mortazave 491 Reputation points

2020-09-25T08:31:34.61+00:00

Thanks for your update,

From what I can see option write back policy is not selected at the AAD in on-premis server and also is not checked at Azure AD console.
How can I findout if password reset has been configured for cloud only users? I ask this becuase we have some cloud base users in O365 console.
Also what is the imact if password reset is enabled for the cloud base users?

Thanks
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-25T09:04:35.377+00:00

Hi @Shahin Mortazave Writeback option is only for Synced users and is not needed for Cloud-only users because their password is stored in Azure AD which is why no writeback to on-prem AD is required. To check if SSPR is enabled, please refer to the screenshot that I shared earlier. If it is set to None, it is not enabled. If it is set to Selected or All, it is enabled. Which option is selected in your case?
Shahin Mortazave 491 Reputation points

2020-09-25T12:41:03.06+00:00

Hi @AmanpreetSingh-MSFT Option that you mentioned is currently is set to none, so as you mentioned this menas that the write back is not configured yet.

We have plane to set this up for next week, I will keep you posted.
Shahin Mortazave 491 Reputation points

2020-09-25T12:50:57.35+00:00

@AmanpreetSingh-MSFT Just one more question, after the test users register themself , can they reset thier password only from hier https://passwordreset.microsoftonline.com/ or they can also use the link at office365 login page that says "forget password" also
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-25T13:05:46.44+00:00

@Shahin Mortazave If you are talking about below option, that also redirect the users to https://passwordreset.microsoftonline.com/ url. So the users will eventually land up on the same page.
Shahin Mortazave 491 Reputation points

2020-09-29T13:32:14.417+00:00

Hi @AmanpreetSingh-MSFT

We are getting ready to set up the write backup policy tomorrow.
We have already 6 month ago have enabled the SSO for our on-prem domain with Office 365 tenant and SSO works. I just came across one more question. When we try to enable the Write Back Password in AAD
At the last step see this, can we go ahead and finish the setup? or with SSO enabled are some extra steps involved in seting up the Write back policy?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-29T14:13:04.493+00:00

@Shahin Mortazave · You can go ahead and finish the setup. There are no extra steps involved for SSO configuration while setting up Password Writeback.
Shahin Mortazave 491 Reputation points

2020-09-29T14:33:25.28+00:00

@AmanpreetSingh-MSFT
I have 5 Microsoft 365 Business Premium Licenses with Azure AD P1, this would allow us the Write back password policy , correct?
I ask this because I read that some people with this license when open a user in Azure AD still see "On-premises integration has not been enabled. Learn how to enable password writeback."
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-29T17:40:20.66+00:00

@Shahin Mortazave · Microsoft 365 Business Premium and Azure AD P1 or P2 supports password writeback. This is documented here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing#compare-editions-and-features
Shahin Mortazave 491 Reputation points

2020-09-30T09:28:04.687+00:00

Hi @AmanpreetSingh-MSFT I just enabled the Password write back on our AAD and config went good, After I enable the password reset for a security group and also add a single user to this group. Now when I login to the e.i. outlook.office365.com or to https://aka.ms/ssprsetup and login with the test user get a message as the same if the MFA has enabled for this user but it is not so. If I remove the usertest1 from the security group then this user will login without this message! Should usertesat1 first register himself and the add him to the security group?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-30T10:01:23.067+00:00

@Shahin Mortazave · Yes, this is based on the authentication methods you select on below page, users would be required to set those up. Users can reset their passwords only after performing authentication based on the methods selected here:
Shahin Mortazave 491 Reputation points

2020-09-30T10:12:10.19+00:00

@AmanpreetSingh-MSFT , ok I get this user registered and confirm the registration, but now when try to reset a password of this user get this error:

SSPR_0029: Your organization has not correctly set up the on-premises password reset configuration.
I check the user account that I can see in AAD and start MSOL\ and I can see this user has the right
Replicating Directory
Reset Password
3X Read/Write All properties

Any suggestion?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-30T10:22:43.97+00:00

@Shahin Mortazave · This error occurs due to permissions issue. Please check Configure account permissions for Azure AD Connect and make sure appropriate permissions are configured. If you have AD Connect installed on a DC, service account should be added to Enterprise Admins group in on-premises AD.
Shahin Mortazave 491 Reputation points

2020-09-30T10:36:31.887+00:00

@AmanpreetSingh-MSFT

When I go to the root of the domain in ADUC in on-prem AD and choose property-Advence-and froom user prencipal choose the MSOL and select the descendant user objects I can see that these option are not selected, should I also select these options?

•Reset password
•Change password
•Write lockoutTime
•Write pwdLastSet
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-30T10:42:14.49+00:00

@Shahin Mortazave · Yes, these permissions are required. For now, you can just set these permissions directly on the user account that you are testing with. Once the testing is done, you can set these permissions for entire domain with selecting the descendant user objects.
Shahin Mortazave 491 Reputation points

2020-09-30T11:07:46.54+00:00

@AmanpreetSingh-MSFT
This is good idea to set it first only for this user, Should I also select the Descendant User objects for the test user account as well?
Shahin Mortazave 491 Reputation points

2020-09-30T11:12:46.91+00:00

@AmanpreetSingh-MSFT ,or instead chose This object and all Descendant User user Object,
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-30T12:46:56.003+00:00

@Shahin Mortazave · If you are assigning permissions directly on user account, then "This object only" would also be fine. This object and all Descendant User objects would work too.
Shahin Mortazave 491 Reputation points

2020-09-30T13:21:58.843+00:00

@AmanpreetSingh-MSFT
Thanks for you replay, that has solve the issue for that users so it means we should also set the rights for all the users.
I just still dont understad is why the test user had to accept access on his mobile ( ms authenticator app) even when only option email was selected voor autentication metod. is this means users must have MFA prior to changing their password?
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-09-30T13:34:30.07+00:00

@Shahin Mortazave · If only the email option is selected under authentication methods, user shouldn't be prompted for MFA via Authenticator app. Can you confirm if the group you are using for testing purpose, is not added somewhere else like in Azure AD Identity Protection or Conditional Access policies. Could you please test with a new group just to make sure no other policies are getting applied to the user.
Shahin Mortazave 491 Reputation points

2020-10-01T08:39:51.747+00:00

@AmanpreetSingh-MSFT Thank you as always for your update,
The test group is not using for anything else because I just create the group before configuration of Password write back.
IThis may heppens because the authentication methods has also Authenticator app and I just removed it before the test and maybe we did not wait enough, I will run a new test with a new user and see if the user will get again the Authenticator app message.

I will keep you posted.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2020-10-01T09:04:24.23+00:00

@Shahin Mortazave · You're welcome. Yes, that makes sense. The change might take some time to take effect.

Share via

write back password

0 additional answers

Your answer