locked
Cannot enable password writeback with Microsoft 365 Business and Azure AD Connect RRS feed

  • Question

  • Cannot enable password writeback with Microsoft 365 Business and Azure AD Connect

    As of January 2019 (link below), password writeback now available for Microsoft 365 Business, and all the documentation I could find indicates that Azure AD Premium is not required for password writeback. Goal is to use Self Service Password Reset.

    After upgrading from Office 365 Business to Microsoft 365 Business, I followed the guide "How-to: Configure password writeback" including the changes in Azure AD Connect and the local AD permissions for the indicated directory synchronization account. However I still see:

    --
    In blade > Dashboard > Users > Password reset > On-premises integration
    "On-premises integration has not been enabled. Learn how to enable password writeback."
    --

    I can't find anything on any of the doc pages (linked below) that would indicate this possible outcome, other than:

    "If you install, configure, and enable Azure AD Connect, you have the following additional options for on-premises integrations. If these options are grayed out, then writeback has not been properly configured."

    On-prem server is 2012 R2. Azure AD Connect is working otherwise, I have verified a change from on-premises to Azure. I went through what I could from the indicated troubleshooting guide (second link below).

    Pages referenced/researched:

    Announced 9 January
    https://techcommunity.microsoft.com/t5/Microsoft-365-Business-Blog/Self-Service-Password-Reset-with-on-premises-writeback-in/ba-p/312595

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-troubleshoot#troubleshoot-password-writeback
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-writeback
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
    Friday, April 5, 2019 6:41 PM

Answers

  • This was resolved in the support case.

    Resolution

    Go to the synchronization service, go to the connectors (Check the image below).

    

    Note: If you have any issue trying to open the tool, please run it as an administrator.

     

    Then, please check the name of both connectors. We need to know the last part of them (ONLY THE LAST PART, do not copy all the connector name). Check the image for better understanding.

    Please save this information, this is because we will run a command in PowerShell to force the sync of password.

    Command to force the password sync:

    $adconnector = (Get-ADSyncConnector | Where-Object {$_.Name
    -ilike "*local"}).Name (Here we need to add the last part of the name
    of the local connector, between the quotes.)
    
    $aadconnector = (Get-ADSyncConnector | Where-Object {$_.Name
    -ilike "*AAD"}).Name (Here we need the end of the name of the cloud
    connector, between the quotes.)
    
    Import-Module adsync
    
    $c = Get-ADSyncConnector -Name $adConnector
    
    $p = New-Object
    Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter
    "Microsoft.Synchronize.ForceFullPasswordSync", String,
    ConnectorGlobal, $null, $null, $null
    
    $p.Value = 1
    
    $c.GlobalParameters.Remove($p.Name)
    
    $c.GlobalParameters.Add($p)
    
    $c = Add-ADSyncConnector -Connector $c
    
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector
    $adConnector -TargetConnector $aadConnector -Enable $false
    
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector
    -TargetConnector $aadConnector -Enable $true

    Once the changes on the script are done, please run:

    First connect to the service using the command: Connect-Msolservice, then provide global administrator credentials to authenticate.

    When you enter the credentials, please run the command with the modifications that we made. Just paste the whole command.


    Tuesday, May 14, 2019 8:26 PM
    Owner

All replies

  • Are you using the latest version of AD Connect? Password writeback will not work for versions 1.0.8641.0 and older. 

    As you mentioned, password writeback is now included in Microsoft 365 Business so you should be able to use it for that if everything is setup correctly. Make sure that you have Microsoft 365 Business and not another bundle like O365 Business Premium.

    What do you see for the Password Writeback settings when you step through the AD Connect wizard? If it shows up as "disabled" you can re-run the wizard and make sure that you select "Password Writeback" when you step through it. 

    image

    Monday, April 8, 2019 10:32 PM
    Owner
  • Confirmed: using latest released Azure AD Connect, 1.2.70.0
    Confirmed: Subscription is Microsoft 365 Business
    Confirmed: "Password writeback" is checked off under "Optional features", verified "Enabled" under "View current configuration"

    I tried un-checking "Password writeback", completed wizard, and then returned and re-checked and re-sync, with no change on the Azure portal status for password writeback.
    Tuesday, April 9, 2019 8:12 PM
  • Thank you for confirmation Steven , 

    I have reponded to you over email and we will take it up acordingly . Please reply to us over email to further continue the conversation related to this issue. 

    Thank you . 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Friday, April 12, 2019 2:47 PM
    Owner
  • Shashi,

    I have this same issue. I'm also using AD Connect 1.2.70.0 and have configured all steps outlined in "How-to: Configure password writeback".




    • Edited by Owen.Smith Monday, April 15, 2019 8:34 AM
    Monday, April 15, 2019 7:57 AM
  • This was resolved in the support case.

    Resolution

    Go to the synchronization service, go to the connectors (Check the image below).

    

    Note: If you have any issue trying to open the tool, please run it as an administrator.

     

    Then, please check the name of both connectors. We need to know the last part of them (ONLY THE LAST PART, do not copy all the connector name). Check the image for better understanding.

    Please save this information, this is because we will run a command in PowerShell to force the sync of password.

    Command to force the password sync:

    $adconnector = (Get-ADSyncConnector | Where-Object {$_.Name
    -ilike "*local"}).Name (Here we need to add the last part of the name
    of the local connector, between the quotes.)
    
    $aadconnector = (Get-ADSyncConnector | Where-Object {$_.Name
    -ilike "*AAD"}).Name (Here we need the end of the name of the cloud
    connector, between the quotes.)
    
    Import-Module adsync
    
    $c = Get-ADSyncConnector -Name $adConnector
    
    $p = New-Object
    Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter
    "Microsoft.Synchronize.ForceFullPasswordSync", String,
    ConnectorGlobal, $null, $null, $null
    
    $p.Value = 1
    
    $c.GlobalParameters.Remove($p.Name)
    
    $c.GlobalParameters.Add($p)
    
    $c = Add-ADSyncConnector -Connector $c
    
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector
    $adConnector -TargetConnector $aadConnector -Enable $false
    
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector
    -TargetConnector $aadConnector -Enable $true

    Once the changes on the script are done, please run:

    First connect to the service using the command: Connect-Msolservice, then provide global administrator credentials to authenticate.

    When you enter the credentials, please run the command with the modifications that we made. Just paste the whole command.


    Tuesday, May 14, 2019 8:26 PM
    Owner