question

DanJohnson-0923 avatar image
0 Votes"
DanJohnson-0923 asked DanJohnson-0923 answered

Resetting an expired password in Hybrid Azure

Hi

In a Hybrid Azure scenario with PHS and Password Writeback enabled is this enough to allow a user to reset their expired password via the cloud and for said password to sync back to on prem?

We are about to remove the disablepasswordexpiry attribute on all accounts under the scope of PHS. We want to ensure that if a password expires on prem then that password expires in the cloud also.

We do not have SSPR enabled.

My confusion comes from the below article and SSPR is continually mentioned.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

However password writeback itself is enabled and the article states

Supported end-user operations

Any end-user self-service voluntary change password operation.
Any end-user self-service force change password operation, for example, password expiration

So would I be correct in stating that to allow a user to reset an expired password and have that sync back to on prem password writeback is all that is required?

SSPR is only needed to allow a user that has forgotten their password the ability to reset via cloud?


azure-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

You are correct. Users can change their passwords from the Office 365 portal, the My Apps portal, or the Windows 10 sign-in page. If you have password writeback enabled via Azure AD Connect, the password change will be synchronized back to the on-premises environment. The settings in Azure AD Connect cover that scenario and you won't need to enable SSPR.

SSPR is listed as a prerequisite for the "Azure Active Directory self-service password reset writeback", but that covers password resets and not just password changes. https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

I agree that the language is a bit confusing because it only refers to "Azure Active Directory self-service password reset writeback" and SSPR in the context of enabling password writeback. This is because it's good to also have SSPR enabled so that users don't get locked out.

Hope this helps!

https://docs.microsoft.com/en-us/azure/active-directory/user-help/active-directory-passwords-update-your-own-password

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced


If this answer was helpful to you, please remember to "mark as answer" and leave a 5-star survey so that others in the community can more easily find a solution.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanJohnson-0923 avatar image
1 Vote"
DanJohnson-0923 answered

Thank you or the detailed response

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.