question

cosimomercuro-9702 avatar image
0 Votes"
cosimomercuro-9702 asked cosimomercuro-9702 commented

AD on-premise ad Azure AD's users syncronyzation

Hi!.
I'd like to syncronyze my on-premise AD DC with office 365 cloud.
I know that if I install AD connector ed use a verified domain all on-premise users definied on internal domain controller will be syncronized with Azure AD on the cloud.
The question is:
If I change the account's password on on-premise from a PC in the local (on-premise) domain, this password will be changed even in the Office 365 cloud but, if I change the account's password directly from Office 365 cloud, will be this change refelected on the on-premise local domain?
In other words, when I'll login on a domain client on the on-premise local network may I'll use the new password previously changed on the cloud?
Any idea?
Thanks in advance

azure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
1 Vote"
AndyDavid answered cosimomercuro-9702 commented

If you enable Password Write back, yes.
Also password hash sync has to be enabled if you want that synced to 365 as well.

So there are two options you will need to enable to have this work the way you describe above:

SSPR for password writeback from Azure to on-prem ( note the licensing requierments)

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

Password Hash Sync to sync password hashes from On-Prem to Azure:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cosimomercuro-9702 avatar image cosimomercuro-9702 ·

Hi AndyDavid.
Thanks for your reply.
Beause my organization not has Azure AD Premium P1 or P2 i think that SSPR isn't available.
At this point, using Hash Sync to sync password hashes from On-Prem to Azure, this means that if If an user change its password from cloud it (the password changed) will be overwrited after few minutes from the password stored in the on-prem, local, DC?
Is it right?

0 Votes 0 ·
AndyDavid avatar image AndyDavid cosimomercuro-9702 ·

A synced user will not be able to change their password in Azure if SSPR Password writeback is not enabled.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback#how-password-writeback-works


When a federated or password hash synchronized user attempts to reset or change their password in the cloud, the following actions occur:

A check is performed to see what type of password the user has. If the password is managed on-premises:

A check is performed to see if the writeback service is up and running. If it is, the user can proceed.
If the writeback service is down, the user is informed that their password can't be reset right now.





0 Votes 0 ·
cosimomercuro-9702 avatar image cosimomercuro-9702 AndyDavid ·

Ok.
I've understood.
Many thanks

0 Votes 0 ·