question

FerronNijland-2719 avatar image
1 Vote"
FerronNijland-2719 asked ·

Graph API ChangePassword methods doesn't trigger Password Writeback Azure AD Connect.

I'm using the .Net Microsoft Graph SDK. When users want to reset their password I call the following method:

 client.Me.ChangePassword(current_password, repeat_new_password).Request().PostAsync();

The change is successful and user can sign in with their new password.
Only the new password doesn't work on-premise. After some research I found that the Password Writeback service is not triggered.
When users change their password trough the Office 365 portal it works just fine.
It this by design or should the password writeback be triggered when using the Graph API ChangePassword method?



azure-active-directoryazure-ad-connectazure-ad-graph
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

That's pretty much the same as with admin-initiated password changes, and is not supported. Read here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback#unsupported-writeback-operations

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShashiShailaj-MSFT avatar image
0 Votes"
ShashiShailaj-MSFT answered ·

Hello @FerronNijland-2719 ,

Password Write-back to on-premise from azure is done via Azure AD connect . It also requires Azure AD premium license to be associated for the user on the tenant. While configuring the Azure AD connect the Azure AD Administrator in your organisation can enable Password writeback to the on-premise domain if they have Azure AD premium license associated with the azure AD tenant. The password writeback is an internal operation and not exposed through any API. Azure AD connect runs a thread for password writeback and it automatically updates from azure whenever a password is changed. The service is polled every 2 minutes or so to get any changes in password. You will not be able to get this done programmatically through Graph API as of now. The password writeback must be triggered on Azure Side and then the Azure AD connect will poll that change.

Hope this clarifies your queries. In case the information provided in any of the posts helps you , please do mark it as answer so that its helpful for other members of the community. If you have any residual queries , please let us know and we will be happy to help .

Thank you.


· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the quick answer @shashishailaj ,

I understand the prerequisites and the configuration that are needed. This is all in place and configured.
I also understand that I've no access to the Password Write-back function operation trough an API or something else.

What I don't understand is that when a user changes his password with a Graph API call it is not seen as a change.
Like you said

Azure AD connect runs a thread for password writeback and it automatically updates from azure whenever a password is changed.

The password is changed when you change it trough the Graph API but the Password Writeback isn't triggered. What is the difference when changing it trough the Office 365 portal?

0 Votes 0 ·