You are running a managed identity office 365 and always has to reset users passwords from on-premise Active Directory. Being an Enterprise Admin on a Local AD, you can reset the password of any user and the change is written back to Azure AD and the user can sign into the online portal with a new password.
But what if you are on leaves and enjoying your days on a remote beach and don’t have access to your on-premise AD, and you get a call that a user needs to reset his password? You know that user is on-premise and without accessing your local AD you can’t reset his password.
Here comes the feature “Password Write back” in the managed identity of office 365, so being a global Administrator, you can simply log into your portal with office 365 admin app or using your laptop remotely and reset the user password. The new password is written back to the local AD and user can use the same password to log into both his domain joined machine and Microsoft office 365 portal.
How does this work?
Technically, when you sync your on-premise local AD objects and user to Azure AD, the control is passed to your local AD, and it becomes the Master AD, so all the changes with any object that you want to do will be initiated from the local AD for all local Active Directory objects. With this feature Global Admin will reset the user password from office 365 Admin portal and the password would be written back to local Active Directory and the user can use the same password both on Domain joined machine and office 365 cloud apps.
What do you need to enable Password Write feature?
The feature is available in these subscriptions.
- Azure AD Premium P1
- Azure AD Premium P2
- Enterprise Mobility + Security E3
- Enterprise Mobility + Security E5
- Microsoft 365 E3
How to enable this feature?
1. In the office 365 Portal Click Home Tab and see if you are synching Passwords.
2. Go to your Azure AD Sync Server and check the current configuration and look for the status of “Password Write Back”.
Open Azure AD connect and check “View current configuration”
3. As you can see below that the feature is Disabled, follow the next steps to enable it.
4. Start Microsoft Azure Active Directory Connect Wizard to your Sync Server.
5. Provide Global Administrator Account credentials of office 365 portal.
6. Click “Add Directory” and provide Enterprise credentials of your Active Directory and Click Next.
7. Leave all as default on Filtering page.
8. On Optional features page select the option you want to enable, in this case, “Password Writeback”. Click Next to configure this feature.
9. Once done check the status: Go to https://portal.azure.com >Click Active Directory>Password Reset>On-Premises integration.
10. With this feature, Admins can also enable SSPR, which let all users online or on-premises to reset their own passwords.