Azure Password Writeback with DirSync
Many enterprises deployed Dirsync while integrating with Azure AD to sync the AD users, however, with more and more services moving to cloud and giving SSO solutions with Azure, it becomes a necessity to authenticate cloud applications with on-premise AD password to give the best login experience to the users. There are a couple of options to achieve this.
- Synchronize your on-premise AD password with Azure AD. This is a good option however, many enterprises may not want to opt for it due to various security policies.
- Enable Password Writeback to on-premise AD. This is simple to achieve with latest Azure AD Sync tools available from Microsoft however if you have deployed dirsync and cannot upgrade it to the latest tools due to any reason, it becomes tricky.
Microsoft may not have documented it anywhere but here is how this can be achieved in few simple steps:
- Enable SSPR(Self Service Password Reset) in Azure (Follow MS documentation on how to do this)
- Run Enable-OnlinePasswordWriteback in powershell on your Dirsync server. Follow MS documentation on how to run this
- If you have enabled group based SSPR, please ensure the required users are added to it
- Assign appropriate license to the users in Azure portal to allow them to reset their passwords
- In your on-premise AD, give MSOL_xxxxxxxxxxx AD account delegation to reset user passwords
- Register your test user for SSPR and test password reset
Just in case your password reset delegation reverts after sometime, please ensure its excluded from synchronization under Dirsync console.