This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have AD connect running for one of my customers. The AD connect was configured by another person who left the company. There was no documentation done after implementation.
I just need to know if password write back is enabled or not.
I tried to run the command below and got that output
PS C:\Windows\system32> Get-ADSyncAADCompanyFeature
PasswordHashSync : True
ForcePasswordChangeOnLogOn : False
UserWriteback : False
DeviceWriteback : True
UnifiedGroupWriteback : False
GroupWritebackV2 : False
Is there a PowerShell script or cmdlet that i can use to get the status for that setting.
Hello @Benard Mwanza
I just wanted to follow up and confirm if the commands shared in previous answer helped. I would request you to please accept the answer if the information helped you. As this will help us as well as others in the community.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Benard Mwanza As mentioned by one of our experts you can run the above command as well you check whether password writeback is enabled on your tenant by going to this section of portal.azure.com
Azure Active Directory -> Password Reset -> On-premises integration
Reference: https://www.powershellcenter.com/2021/08/09/adconnect-issue1/
Hello @Benard Mwanza
Thank you for reaching out. To validate if the Password writeback is enabled you can execute following command on your AD Connect Server:
Get current status of Password Writeback:
$connector = (Get-ADSyncConnector | Where-Object {$_.Name -ilike "*AAD"}).Name
Get-ADSyncAADPasswordResetConfiguration -Connector $connector
I hope this helps and resolves your query.
----------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Nothing in MS graph module?
PS>(Get-MgDirectoryOnPremiseSynchronization ).features | fl *
BlockCloudObjectTakeoverThroughHardMatchEnabled : False
BlockSoftMatchEnabled : False
BypassDirSyncOverridesEnabled : False
CloudPasswordPolicyForPasswordSyncedUsersEnabled : False
ConcurrentCredentialUpdateEnabled : False
ConcurrentOrgIdProvisioningEnabled : True
DeviceWritebackEnabled : False
DirectoryExtensionsEnabled : False
FopeConflictResolutionEnabled : False
GroupWriteBackEnabled : False
PasswordSyncEnabled : True
PasswordWritebackEnabled : False
QuarantineUponProxyAddressesConflictEnabled : True
QuarantineUponUpnConflictEnabled : True
SoftMatchOnUpnEnabled : True
SynchronizeUpnForManagedUsersEnabled : True
UnifiedGroupWritebackEnabled : False
UserForcePasswordChangeOnLogonEnabled : False
UserWritebackEnabled : False
AdditionalProperties : {}
While
PS C:\Users\administrator.ADLAB> $connector = (Get-ADSyncConnector | Where-Object {$_.Name -ilike "*AAD"}).Name
PS C:\Users\administrator.ADLAB> Get-ADSyncAADPasswordResetConfiguration -Connector $connector
Connector : M365x00694735.onmicrosoft.com - AAD
Enabled : True
ModifiedTimestamp : 04-03-2024 16:06:58
OnboardingRequiredStatus : NotRequired
ServiceStatus : Started
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 28.000000000000004%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
The PasswordWritebackEnabled in Graph's OnPremiseSynchronization is no longer supported. Please ignore this flag. As of today, the only way of checking if password writeback is enabled is through the admin portal or locally on the server via PowerShell:
$c = Get-ADSyncConnector | Where-Object {$_.Identifier -eq 'b891884f-051e-4a83-95af-2544101c9083'}
Get-ADSyncAADPasswordResetConfiguration -Connector $c.Name
Result:
Connector : Contoso.onmicrosoft.com - AAD
Enabled : True
ModifiedTimestamp : 3/19/2025 1:35:17 AM
OnboardingRequiredStatus : NotRequired
ServiceStatus : Started
This is documented publicly at Enable Microsoft Entra password writeback:
Updating PasswordWritebackEnabled from OnPremDirectorySynchronization service features is not supported as this feature flag is not in use.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 20%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
I've been fighting with this, too.
I know you can get the results in the Azure Portal, as Givary-MSFT mentioned. But I found a weird anomaly when I try to get it with the Graph PowerShell Module where it says it's disabled.
PasswordWritebackEnabled : False
Connect-MgGraph
$OnPremSync = Get-MgDirectoryOnPremiseSynchronization -Property *
$OnPremSync.Features | Format-List
Disconnect-Graph