question

TomRobinson-8577 avatar image
TomRobinson-8577 asked ·

Is this scenario supported for Azure AD Connect password writeback?

I've been trying to setup Azure AD Connect password writeback but without any success. It's a complicated thing to diagnose online, so initially I'm looking for confirmation that what I'm trying to do is possible.

Unlike most Azure AD Connect scenarios, I am starting with a small, existing set of Microsoft 365 Business Standard and Premium users. I am then setting up a brand new on-premise domain (Windows Server 2019) and want to allow the equivalent on-premise users accounts to have their password synchronised with Microsoft 365/Azure AD.

Does Azure AD Connect password writeback work in this scenario? i.e. with the original accounts being created in Microsoft 365 and the on-premise accounts being linked to them?

  • Azure AD Connect: 1.5.30.0

  • Windows Server 2019 Standard

  • Licenses: Microsoft 365 Standard & Microsoft 365 Premium

Things I've tried:

  • Disabling then re-enabling password writeback in Azure AD Connect

  • Running the PowerShell script suggested here

  • Looking for errors in the Windows Event Log, and Azure Portal





azure-active-directoryazure-ad-connectazure-ad-hybrid-identity
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@TomRobinson-8577 Azure AD Connect: 1.5.30.0 and Windows Server 2019 Standard also support password writeback.

I assume by Microsoft 365 Standard & Microsoft 365 Premium, you are referring to Microsoft 365 Business Standard and Microsoft 365 Business Premium. If that is the case, you are good with required licenses. If you have Office 365 Business Premium, that doesn't include password writeback feature for synced accounts as only Azure AD Premium P1 or P2 and Microsoft 365 Business include password writeback features. Refer to https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing for more details.

When you are resetting the password, have you confirmed if you are complying with On-prem password policies? E.g., if the minimum password age is 1 day in on-prem AD and you have synced a newly created user account whose password is not 1 day old, you'll get error.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft Thanks for your response. Yes sorry, I meant Microsoft 365 Business Standard and Microsoft 365 Business Premium.

I set then minimum password age to 0 days during setup.

Where could I look for error information/logs - for example, to see if the password writeback is being attempted, even if it then fails. At the moment I have everything set up according to the documentation and a few hours of research online but can see no evidence that the writeback is being attempted. I would be happy if I could see an error as it would give me something to try and fix.

0 Votes 0 · ·

@TomRobinson-8577 You should look for error events under Application event logs on AD Connect server. Refer to Troubleshoot password writeback for various error events and how to resolve the error.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


0 Votes 0 · ·