question

Akrofly-4134 avatar image
0 Votes"
Akrofly-4134 asked MarileeTurscak-MSFT commented

MsolDirSyncFeatures and Azure AD connect settings show different values for the same setting - or am I mistaken ?

The value for the PasswordWriteBack from Get-MsolDirSyncFeatures shows a different value from within Azure AD connect, or am I mistaken here?

Note the marked settings in the attached screenshot and correct me if I have misunderstood or explain/advise if correct.

145512-aadc-conflict.jpg


azure-ad-connectazure-ad-connect-health
aadc-conflict.jpg (166.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Akrofly-4134 avatar image
0 Votes"
Akrofly-4134 answered MarileeTurscak-MSFT commented

No possible answer on the horizon, I recommend that this question is taken out of circulation since password write back does work.

It just seems like conflicting information from a technical point of view.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have seen this happen before where password writeback is working, but the Powershell shows that it is set to false. I have taken this up with the product team and will let you know their response!

0 Votes 0 ·

We have reported this as a bug.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered Akrofly-4134 edited

Hi @Akrofly-4134,

Could you please confirm that the password writeback connectivity in the Azure portal is showing up and running? If it is, then please toggle the password writeback service on and off and re-run the Powershell commands to see if it is reflecting.

145625-image.png

If you see a connectivity failure, then it might be one of the following issues:

1) There might be a network connectivity problem.

Double check that firewall isn't blocking anything and that outbound HTTPS access is required to the following addresses:

.passwordreset.microsoftonline.com
.servicebus.windows.net

2) You may need to restart the Azure AD Connect Sync service, as shown in the screenshot:
145550-image.png

3) Disable and re-enable the password writeback feature. (Disable the feature and configure it. Then re-enable it and and reconfigure it.)

4) It might not be enabled in Azure, or you could be missing some licensing. If this is the case, make sure you have the writeback enabled in Azure itself and you have the correct licensing applied.

For full troubleshooting steps, see the Troubleshoot Password Writeback article.



image.png (80.3 KiB)
image.png (211.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your response, but to no avail.

The password write back has been toggled, the service has been restarted and network is OK with connectivity in place.
Our licensing meets the requirements.
The service account is running with the necessary permissions in the on-premises AD.

The setting from on-premises integration portal page shows the password write back is activated, the settings in the AADC client shows that it is activated, only the value from within the get-msoldirsyncfeatures is still nonidentical to the reality set up via the AADC.

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
DirSyncFeature : PasswordWriteBack
Enabled : False


It is essential to add that the actual password write back when changed from within SSPR and to on-premises AD is working.
It is merely this inconsistency with the settings across the interfaces that is awkward.
So that question that asks itself here, is "Get-MsolDirSyncFeatures" still applicable to view the sync features?

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered Akrofly-4134 commented

I see the same settings as you and we have password writeback enabled and its working.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your comment, we can conclude that we have the same experience, but is it supposed to be like that?

I will wait a bit longer in hope that someone sheds a little more light on the matter.
If it does not happen I will eventually withdraw this question.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

I don't know, seems to be that since its enabled in AADConnect , its just ignored by the MsolDirSyncFeatures command.


It states here that which commands apply:
https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldirsyncfeatures?view=azureadps-1.0

147003-image.png



image.png (19.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.