Issues with Password Writeback in Hybrid AD Environment

Question

Issues with Password Writeback in Hybrid AD Environment

Soliman Hanafy 0

I am reaching out to request technical assistance regarding a synchronization issue between our On-premises Active Directory and Microsoft Entra ID (Azure AD).

Current Environment:

Setup: Hybrid identity using Microsoft Entra Connect.

Current Status: Password synchronization works from On-premises to Cloud (downstream).

The Problem: We are unable to sync password changes from the Cloud to On-premises (upstream). Users cannot change their passwords via the Microsoft portal; changes must currently be made directly in the On-premises AD.

Rukmini 29,305 Reputation points Microsoft External Staff Moderator

2026-02-26T08:30:02.9233333+00:00
Hello Soliman Hanafy,

By default, password sync from On-premises to Cloud (Password Hash Sync) is enabled in a hybrid setup with Microsoft Entra Connect. Enabling Password Writeback in Microsoft Entra ID is necessary for Cloud → On-prem password synchronization. Check the following since upstream sync isn't functioning:

Turn on Password Writeback Launch Entra Connect → Set Up → Extra Features. Verify that Password Writeback is selected. Finish the wizard.

Check Licensing SSPR + Writeback requires Azure AD Premium P1/P2.

Use Supported Password Change Method

Writeback works only if users change passwords via:

SSPR portal

My Apps / Microsoft 365 user portal

It does NOT work for:

Admin reset from M365 Admin Center

Password set during user creation

Legacy PowerShell resets

Restart the Sync Service. Restart the Entra Connect server's Azure AD Sync service.

Verify AD Permissions Verify that the Connect service account possesses:

Reset password

Write pwdLastSet

Write lockoutTime.

Cloud → On-prem password synchronization will work smoothly after Password Writeback is enabled and users use the supported password changing techniques.

Let me know if any further queries - feel free to reach out!
Rukmini 29,305 Reputation points Microsoft External Staff Moderator

2026-02-27T02:10:12.5833333+00:00

Hello Soliman Hanafy, Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Raja Pothuraju 45,870 Reputation points Microsoft External Staff Moderator

2026-03-05T08:39:23.4133333+00:00

@Soliman Hanafy, Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Rukmini 29,305 Reputation points Microsoft External Staff Moderator

2026-02-26T08:30:02.9233333+00:00

Hello Soliman Hanafy,

By default, password sync from On-premises to Cloud (Password Hash Sync) is enabled in a hybrid setup with Microsoft Entra Connect. Enabling Password Writeback in Microsoft Entra ID is necessary for Cloud → On-prem password synchronization. Check the following since upstream sync isn't functioning:

Turn on Password Writeback Launch Entra Connect → Set Up → Extra Features. Verify that Password Writeback is selected. Finish the wizard.

Check Licensing SSPR + Writeback requires Azure AD Premium P1/P2.

Use Supported Password Change Method

Writeback works only if users change passwords via:

SSPR portal

My Apps / Microsoft 365 user portal

It does NOT work for:

Admin reset from M365 Admin Center

Password set during user creation

Legacy PowerShell resets

Restart the Sync Service. Restart the Entra Connect server's Azure AD Sync service.

Verify AD Permissions Verify that the Connect service account possesses:

Reset password

Write pwdLastSet

Write lockoutTime.

Cloud → On-prem password synchronization will work smoothly after Password Writeback is enabled and users use the supported password changing techniques.

Let me know if any further queries - feel free to reach out!
Rukmini 29,305 Reputation points Microsoft External Staff Moderator

2026-02-27T02:10:12.5833333+00:00

Hello Soliman Hanafy, Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Raja Pothuraju 45,870 Reputation points Microsoft External Staff Moderator

2026-03-05T08:39:23.4133333+00:00

@Soliman Hanafy, Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Password writeback (cloud → on-premises) requires specific configuration and only works in certain scenarios. Use the following checks and steps to restore upstream password sync.

Confirm password writeback is a supported scenario in your environment

Password writeback is only supported when:

Hybrid identity is configured with one of these models:
- Password hash synchronization (PHS)
- Pass-through authentication (PTA)
- Active Directory Federation Services (AD FS)
Password changes are performed in supported locations:
- Self-service password reset (SSPR) portal: https://passwordreset.microsoftonline.com
- Password change in My Apps / Microsoft 365 portal
- Admin SSPR via the same SSPR portal

Password writeback does not occur when:

Admin resets passwords in Microsoft 365 admin center
Passwords are set at new user creation in portals or via Microsoft Graph PowerShell
Admin resets passwords via legacy MSOnline/AzureAD PowerShell modules

If users are changing passwords only via unsupported admin paths, those changes will not write back to on-premises.

See the scenarios table in the password writeback troubleshooting article for details.

Verify that password writeback is enabled in Microsoft Entra Connect

On the Microsoft Entra Connect server:

Open Microsoft Entra Connect Configuration wizard.
Sign in with:
- Microsoft Entra Hybrid Administrator credentials (for the tenant), and
- On-premises AD DS admin credentials.
Proceed to Optional features.
Ensure Password writeback is checked.
Complete the wizard so the configuration is committed.

If writeback was disabled, enabling it and completing configuration is required for upstream sync.

Re-establish connectivity for password writeback

If writeback is enabled but not working:

Restart the sync service:
- On the Entra Connect server, run services.msc.
- Locate Azure AD Sync service.
- Right-click → Restart and wait for completion.
If the issue persists, toggle writeback off and on:
- Open Microsoft Entra Connect Configuration wizard.
- Clear Password writeback on Optional features and complete the wizard (confirm it shows as disabled on Ready to configure).
- Reopen the wizard, re-enable Password writeback, and complete configuration again.

These steps re-establish the connection used for password writeback.

Confirm SSPR/writeback usage pattern

To get cloud → on-premises password sync working for users:

Ensure users are registered for SSPR and use the SSPR portal (https://passwordreset.microsoftonline.com) or supported password change experiences (My Apps / Microsoft 365 portal) for password changes.
Ensure SSPR with writeback is enabled on the tenant when using PHS and the ForcePasswordChangeOnLogOn feature, so that any SSPR password change is synchronized back to AD.

Check for user-specific sign-in issues

If some users’ passwords appear not to sync back or sign-in fails after cloud changes:

If users changed passwords only in the cloud portal without writeback enabled, have them change their on-premises password and allow time for downstream sync.
If some users still cannot sign in, investigate them as individual sync/sign-in issues (for example, using the guidance under “Some users can't sign in to Microsoft 365, Microsoft Entra, or Microsoft Intune”).

If, after confirming supported scenarios, enabling password writeback, and re-establishing connectivity, cloud-initiated password changes still never reach on-premises AD, follow the broader SSPR writeback troubleshooting guidance and, if needed, open a support case.

References:

Share via

Issues with Password Writeback in Hybrid AD Environment

1 answer

Your answer