Azure AD Connect Cloud Provisioning Agent v1.1.587.0 brings Password Writeback

Azure AD Connect

Last week, Microsoft released version 1.1.587.0 of its Azure AD Connect Cloud Provisioning Agent. While the release notes for this version include only one bullet point followed by five words, I wanted to shed some more light on what ‘Cmdlet to configure Password WriteBack’ means:

  • It means Password WriteBack is now available for organizations who have adopted Azure AD Connect Cloud Sync.
  • It means Password WriteBack needs to be configured through PowerShell, instead of being an option in a user interface for the on-premises components.

    

About Azure AD Connect Cloud Sync

The Azure AD Connect Cloud Provisioning Agent is a new Microsoft agent for synchronization of users, groups and contacts to Azure AD.

In contrast to Azure AD Connect, the database, rules and engine are not placed on a Windows Server installation on-premises, but within the Azure Active Directory infrastructure. The agent setup makes it lightweight, fast to deploy and easy to manage.

Initially, Microsoft’s goal with Azure AD Connect Cloud Sync was to provide synchronization for non-reachable Active Directory forests and synchronization for Active Directory forests for recently acquired organizations. Today, Azure AD Connect Cloud Sync is positioned as an alternative to Azure AD Connect on-premises.

About Password WriteBack

Password WriteBack enables administrators to configure Azure AD Connect and Azure AD Connect Cloud Sync to allow people in the organization to change their password in the on-premises environment when they set, change and/or reset their password in Azure AD.

The main reason to enable Password WriteBack is to use Azure AD’s Self-service Password Reset (SSPR) functionality in a Hybrid Environment. In this case, the password policy from Active Directory and every applying fine-grained password policies apply.

Perhaps Password WriteBack isn’t the right term to describe this feature… the password is first reset then changed on-premises and synchronized with priority to Azure AD when Password Hash Synchronization (PHS) is used or enabled. It does sit right in between Group WriteBack and Device WriteBack in terms of marketing.

    

Enabling Password WriteBack with Azure AD Connect Cloud Sync

Meet the requirements

To enable Password WriteBack with Azure AD Connect Cloud Sync you need to meet the following requirements:

  • The Azure AD tenant needs to be equipped with premium licenses.
  • You need access to an account in Azure AD with either the Global Administrator role, or both the Authentication Policy Administrator and Hybrid Identity Administrator role.
  • You need administrator privileges on the Windows Server installation running the Azure AD Connect Cloud Provisioning Agent v1.1.587.0, or newer version of the Azure AD Connect Cloud Provisioning Agent.

    

Enable Password WriteBack on-premises

To enable Password WriteBack on the Windows Server installation running the Azure AD Connect Cloud Provisioning Agent, run the following lines of Windows PowerShell:

Set-ExecutionPolicy –ExecutionPolicy RemoteSigned

Import-Module 'C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll'

Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)

    

Provide the credentials for the account in Azure AD.

    

Enable Password WriteBack in Azure AD

To enable Password WriteBack in Azure AD, perform the following steps:

  • Navigate to the Azure AD Portal.
  • Sign in with the account in Azure AD.
  • In the left navigation pane, click Azure Active Directory.
    You’ll be taken to the Overview page for the Azure AD tenant. 
  • In Azure AD’s navigation pane, click Password reset.
    You’ll be taken to the Password reset | Properties page, with its own navigation menu on the left of the page.
  • In Password reset’s navigation pane, click On-premises integration.
    You’ll be taken to the Password reset | On-premises integration page.
  • On the Password reset | On-premises integration page, enable both features, labeled Write back passwords to your on-premises directory? and Allow users to unlock accounts without resetting their password? by selecting the Yes option for both.
  • Click Save in the action bar at the top of the page.
  • Close the browser or sign out.

Further reading

Ten things you should know about Azure AD Connect Cloud Sync  
Four things you should know about Selective Password Hash Synchronization  
Ten things you need to know about Azure AD Connect Cloud Provisioning   
Enable cloud sync self-service password reset writeback to an on-premises environment

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.