Azure AD connect Password Sync


  • Hello Champs,

    I have Azure AD connect and i am planning to implement the password Write back option for few users, however i dont find any link which talks about it, can you guys put some lights if Password synchronization can be enable to for few users. 



    Wednesday, March 29, 2017 11:38 AM

All replies

  • If you want to enable password sync (from on-prem to the cloud), then you will enable it for all users. See:

    If you want to enable password writeback (from the cloud back to on-prem), then you can do it per user since it will require an Azure AD Premium license. If you use Azure AD Premium for other purposes, then all these will be able to change and reset the password in the cloud and write back to on-prem. See:

    Wednesday, March 29, 2017 6:09 PM
  • Thanks for the information Andreas, i gone through the documents but i have to enable the password Write-back which will be enabled for all the users, it means all the user's password get synchronized,  and the another points is in the document they not mentioned that this can be enabled on individual users level, yeah it has mentioned about the license level but not like Group Based or OU based. 

    can you put some lights on this.

    Thursday, March 30, 2017 2:38 PM
  • So you are concerned about users changing their password in Azure AD and it is going to be written back. You want that writeback for only a few users.

    Password reset can be restricted to a group, but that is not what you are looking for, correct?

    Thursday, March 30, 2017 8:41 PM
  • Hey there, sounds like you want to scope password reset to specific users, is that right?

    If so, this will work for you: 

    If you want to scope password writeback by OU,you can follow the steps in step 4 of the getting started guide: 

    Hopefully this helps!


    Step 4: Set up the appropriate Active Directory permissions

    For every forest that contains users whose passwords will be reset, if X is the account that was specified for that forest in the configuration wizard (during initial configuration), then X must be given the Reset PasswordChange PasswordWrite Permissions on lockoutTime, and Write Permissions on pwdLastSet, extended rights on the either the root object of each domain in that forest OR on the user OU(s) you wish to be in scope for SSPR. You can use the latter option if you would like to scope your reset permissions to only a specific set of user objects in case doing so against the root of the domain is not acceptable. The right should be marked as inherited by all user objects.

    Adam Steenwyk | Senior Program Manager |

    Friday, March 31, 2017 1:09 AM