Azure AD - Password reset by Helpdesk and User self service password reset

Azurebegginer 146 Reputation points


Hope you are well. I understand in Azure AD we can configure so that the end user can reset the password themeself by having configurable challanges.

We are planning for passthrough authontication as we are using on-premise AD connecting with Azure AD using Azure AD connect.

Can the helpdesk resource reset the password on on-premise active directory tool "User and computers" and the password replicates to Azure AD??

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,608 questions
0 comments No comments
{count} votes

Accepted answer
  1. Leon Laude 85,726 Reputation points


    Yes this is possible, assuming you have Azure AD Connect synchronization, it will synchronize the password hashes from your on-premise Active Directory (AD) to the Azure Active Directory (Azure AD).

    You'll find more information over here:

    Implement password hash synchronization with Azure AD Connect sync

    Best regards,

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points

    Hi @NeerajV-6011

    By default you will see Password Hash Sync (PHS) and Pass-Through Authentication (PTA) as radio button options in the AD Connect Configuration wizard as shown below and you can only select one of these options:


    However, you can enable PHS as a backup using below option:

    Customize synchronization options > connect to Azure and AD > Optional features > Password Hash Synchronization

    When you configure this option, PHS also gets enabled and everytime a password is changed in On-premises AD, the password hash gets synchronized to Azure AD every 2 minutes. In this case, if helpdesk resource reset the password on on-premise active directory, it will sync to Azure AD.

    Note: If you configure this option, PHS will just act as a backup and PTA will remain your primary mode of authentication. Authentication will not fallback from PTA to PHS automatically. You would have to manually switch to PHS if and when needed.


    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    1 person found this answer helpful.
    0 comments No comments