Is there a way to know if password writeback is enabled or not

Benard Mwanza 1,006 Reputation points
2022-11-15T09:07:29.083+00:00

I have AD connect running for one of my customers. The AD connect was configured by another person who left the company. There was no documentation done after implementation.

I just need to know if password write back is enabled or not.

I tried to run the command below and got that output

PS C:\Windows\system32> Get-ADSyncAADCompanyFeature  
  
  
PasswordHashSync           : True  
ForcePasswordChangeOnLogOn : False  
UserWriteback              : False  
DeviceWriteback            : True  
UnifiedGroupWriteback      : False  
GroupWritebackV2           : False  

Is there a PowerShell script or cmdlet that i can use to get the status for that setting.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote

Accepted answer
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2022-11-15T09:34:56.993+00:00

    @Benard Mwanza As mentioned by one of our experts you can run the above command as well you check whether password writeback is enabled on your tenant by going to this section of portal.azure.com

    Azure Active Directory -> Password Reset -> On-premises integration

    Reference: https://www.powershellcenter.com/2021/08/09/adconnect-issue1/

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator
    2022-11-15T09:18:37.213+00:00

    Hello @Benard Mwanza

    Thank you for reaching out. To validate if the Password writeback is enabled you can execute following command on your AD Connect Server:

    Get current status of Password Writeback:

    $connector = (Get-ADSyncConnector | Where-Object {$_.Name -ilike "*AAD"}).Name
    Get-ADSyncAADPasswordResetConfiguration -Connector $connector

    I hope this helps and resolves your query.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

  2. Nuno Alexandre 96 Reputation points Microsoft Employee
    2025-04-02T19:45:38.09+00:00

    The PasswordWritebackEnabled in Graph's OnPremiseSynchronization is no longer supported. Please ignore this flag. As of today, the only way of checking if password writeback is enabled is through the admin portal or locally on the server via PowerShell:

    $c = Get-ADSyncConnector | Where-Object {$_.Identifier -eq 'b891884f-051e-4a83-95af-2544101c9083'}
    Get-ADSyncAADPasswordResetConfiguration -Connector $c.Name
    

    Result:

    Connector                : Contoso.onmicrosoft.com - AAD
    Enabled                  : True
    ModifiedTimestamp        : 3/19/2025 1:35:17 AM
    OnboardingRequiredStatus : NotRequired
    ServiceStatus            : Started
    

    This is documented publicly at Enable Microsoft Entra password writeback:

    Updating PasswordWritebackEnabled from OnPremDirectorySynchronization service features is not supported as this feature flag is not in use.

    2 people found this answer helpful.
    0 comments No comments

  3. Ryan B Cooley 51 Reputation points
    2024-09-03T20:50:48.68+00:00

    I've been fighting with this, too.

    I know you can get the results in the Azure Portal, as Givary-MSFT mentioned. But I found a weird anomaly when I try to get it with the Graph PowerShell Module where it says it's disabled.

    PasswordWritebackEnabled : False

    Connect-MgGraph
    
    $OnPremSync = Get-MgDirectoryOnPremiseSynchronization -Property *
    
    $OnPremSync.Features | Format-List
    
    Disconnect-Graph
    
    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.