If you have recently purchased Azure AD Premium as part of your cloud strategy, chances are one of the first things you’re going to deploy is SSPR or MFA. If you follow the guidance at Getting Started with Password Management (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-passwords-getting-started) you’ll see that this is a relatively simple affair. Simply login to Azure management portal to enable the service and customize, then go to your on-premise directory sync server to configure additional password writeback functionality.
Ensure you’re running the latest directory sync tool (please upgrade DirSyc if you have not already!) which means you should be on AADConnect. As you will see from the screenshots below, there’s a process involved of manually adding additional security to the object originally used to configure your directory sync service, which can be sidestepped.
- Enable Password Writeback function as additional feature on AADConnect setup.exe:
2. AADConnect uses the following account (auto-generated) to provide password write-back functionality:
- Select the account (above) you want to give permissions to (this is the same account that was specified while setting up sync for that forest).
- In the drop down on the top, select Descendent User objects.
- In the Permission Entry dialog box that shows up, check the box for Reset Password, Change Password, Write Permissions on lockoutTime, and Write Permissions on pwdLastSet.
- Then click Apply/Ok through all the open dialog boxes.
TIP: Setting individual permissions on this account basically mimics Enterprise Administrator settings to allow writeback on-premise of the user password. To make life simpler and cut out human error, simply provide the account Enterprise Administrator credentials in the first place! It’s what Azure support recommend, though not documented and may not be acceptable to all company security policies, but it does ensure the configuration works.