Share via

Is there a way to know if password writeback is enabled or not

Benard Mwanza 1,001 Reputation points
2022-11-15T09:07:29.083+00:00

I have AD connect running for one of my customers. The AD connect was configured by another person who left the company. There was no documentation done after implementation.

I just need to know if password write back is enabled or not.

I tried to run the command below and got that output 

PS C:\Windows\system32> Get-ADSyncAADCompanyFeature  
  
  
PasswordHashSync           : True  
ForcePasswordChangeOnLogOn : False  
UserWriteback              : False  
DeviceWriteback            : True  
UnifiedGroupWriteback      : False  
GroupWritebackV2           : False

Is there a PowerShell script or cmdlet that i can use to get the status for that setting.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,967 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,935 questions
Accepted answer
  1. Givary-MSFT 35,601 Reputation points Microsoft Employee Moderator
    2022-11-15T09:34:56.993+00:00

    @Benard Mwanza As mentioned by one of our experts you can run the above command as well you check whether password writeback is enabled on your tenant by going to this section of portal.azure.com

    Azure Active Directory -> Password Reset -> On-premises integration

    Reference: https://www.powershellcenter.com/2021/08/09/adconnect-issue1/

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 8,376 Reputation points Microsoft Employee Moderator
    2022-11-15T09:18:37.213+00:00

    Hello @Benard Mwanza

    Thank you for reaching out. To validate if the Password writeback is enabled you can execute following command on your AD Connect Server:

    Get current status of Password Writeback:

    $connector = (Get-ADSyncConnector | Where-Object {$_.Name -ilike "*AAD"}).Name
    Get-ADSyncAADPasswordResetConfiguration -Connector $connector

    I hope this helps and resolves your query.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
  2. Nuno Alexandre 91 Reputation points Microsoft Employee
    2025-04-02T19:45:38.09+00:00

    The PasswordWritebackEnabled in Graph's OnPremiseSynchronization is no longer supported. Please ignore this flag. As of today, the only way of checking if password writeback is enabled is through the admin portal or locally on the server via PowerShell:

    $c = Get-ADSyncConnector | Where-Object {$_.Identifier -eq 'b891884f-051e-4a83-95af-2544101c9083'}
Get-ADSyncAADPasswordResetConfiguration -Connector $c.Name

    Result:

    Connector                : Contoso.onmicrosoft.com - AAD
Enabled                  : True
ModifiedTimestamp        : 3/19/2025 1:35:17 AM
OnboardingRequiredStatus : NotRequired
ServiceStatus            : Started

    This is documented publicly at Enable Microsoft Entra password writeback:

    Updating PasswordWritebackEnabled from OnPremDirectorySynchronization service features is not supported as this feature flag is not in use.

    1 person found this answer helpful.
    0 comments
  3. Ryan B Cooley 46 Reputation points
    2024-09-03T20:50:48.68+00:00

    I've been fighting with this, too.

    I know you can get the results in the Azure Portal, as Givary-MSFT mentioned. But I found a weird anomaly when I try to get it with the Graph PowerShell Module where it says it's disabled.

    PasswordWritebackEnabled : False

    Connect-MgGraph

$OnPremSync = Get-MgDirectoryOnPremiseSynchronization -Property *

$OnPremSync.Features | Format-List

Disconnect-Graph
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.