AD Connect Server 2016 (where users use RDC) with Azure user and password write-back

Dale Greenaway 21 Reputation points
2020-11-27T16:44:10.12+00:00

Hi Guys,
Could use your help. Hoping you can shed some light.
We are using Windows Server 2016 AD on premise, and Azure/O365 in the cloud. All of our users connect via Windows 10 using RDC onto a virtual profile. All of our users are aligned on the 2016 server AD to the Azure/O365 user profiles where the Primary user logon's are the same.
We want to be able to write back the password from Azure to Windows Server 1016 with single sign on making Azure the primary password manager or place of reset. If MFA is enabled on all of our Azure users,
(1) Wondering what the behavior is like when users login with RDC onto the on premise where Azure is now the primary password having overwritten the on premise password?
(2) What if the virtual instance or profile per user is on 2012 and not 2016/2019? - our AD Server is on 2016
Regards,
D

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,389 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,536 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,680 questions
0 comments
Accepted answer
  1. Andy David - MVP 142.3K Reputation points MVP
    2020-11-27T17:02:00.257+00:00
    1. Azure is not the "primary password" though. If you are authenticating against AD, then thats where the password lives and is the source of truth. That doesnt change with Password write back - which ensures that if Password Reset is enabled in Azure, it will sync back to on-prem and they will match.. So the behavior in that sense doesnt change, whether you change the password directly or in Azure, you have to use that new password when logging on to the remote desktop
    2. No difference between 2012 or 2106/2019. The password is the password :)

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 142.3K Reputation points MVP
    2020-11-27T19:07:16.71+00:00
    1 person found this answer helpful.
    0 comments
  2. Dale Greenaway 21 Reputation points
    2020-11-27T17:34:21.807+00:00

    Hi AndyDavid,

    Thanks for coming back, appreciate your reply and knowledge.

    Another Question:
    When users use RDC to logon from Windows 10 to on premise or 2012 virtual instance, will they be prompted to 2FA because MFA is enabled in Azure? - does MFA automatically get adopted into the Remote Desktop Connection login

    0 comments
  3. Dale Greenaway 21 Reputation points
    2020-11-28T09:10:07.537+00:00

    Thanks AndyDavid - appreciate it

    0 comments