Password Changed with Python Function using Graph API not updating On-Prem

Question

We have a hybrid AD setup. I have a python script that uses graph API and Application permissions to generate a new secure password for a student, and then pushes that new password into Entra AD. The student's password changes for office 365 but the changed password will not synchronize down to on-prem, even though we have password write back enabled.

What do I need to do to get the newly generated password to sync down and update the users on prem account password?

This is what I am using for the API Call:

graph_url = f'https://graph.microsoft.com/v1.0/users/{user["id"]}'
headers = {
    'Authorization': f'Bearer {access_token}',
    'Content-Type': 'application/json'
}

update_data = {
    'passwordProfile': {
        'forceChangePasswordNextSignIn': False,
        'password': f'{newPassword}'
    }
}

update_response = requests.patch(graph_url, headers=headers, data=json.dumps(update_data))

Answer 1

When password write back is enabled, the new password should sync down to on-premises AD as long as the "passwordPolicies" attribute is not set to "None" or "DisablePasswordSync". You can verify if the user's password policies are set to allow password sync using the Azure AD PowerShell module.

Here is an example PowerShell command to check the password policies for a user:

Get-AzureADUser -ObjectId <UserObjectID> | Select-Object PasswordPolicies

If the password policies are not the issue, you can try forcing a password sync by running the following PowerShell command:

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector "AD Connector" -TargetConnector "Azure AD Connector" -AllowPasswordSync $true

This will force a password sync for all users.

Additionally, you may want to check if the Azure AD Connect synchronization service is running and properly configured.