There are three services available with Azure Active Directory:
An administrator with Azure AD Basic edition can activate an Azure Active Directory Premium trial.
To configure Azure Active Directory premium, the service must be enabled within the Microsoft Azure portal and the Dirsync tool needs to support and be configured to support password writeback.
Before starting please note that Azure Active Directory Premium is only available through an Enterprise Agreement.
The following steps are for signing up for Active Directory Premium:
Once the signup is complete go back to Azure Active directory and there will be a button to Enable Active Directory Premium.
Select the number of contacts methods that are required, and define which contact methods are available to users.
The registration URL is: https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx
Once this is done, the password reset function is available by going to https//login.microsoftonline.com and clicking on Can’t access your account. This will direct the user to enter his/her username & the captcha shown on the screen. Once complete, click Next.
Now follow the instructions for the password reset procedure and click Next
Select whether to be contacted by text or automated call and Click Next. Enter the verification code received either from a automated call or text message.
After entering a valid verification code, the user will be prompted to enter their new password.
Password writeback is a Directory Sync Tool component that can be enabled and used by the current subscribers of Azure Active Directory Premium. It allows you to configure your cloud tenant to write passwords back to you on-premises Active Directory. It obviates you from having to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are.
This section walks you through configuring password reset to write passwords back to an on-premises AD.
Before you can enable and use the password writeback, you must make sure you complete the following prerequisites:
|Make sure that the administrator account that you use to enable password writeback is a cloud administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure AD.|
|If you are running an older version of Windows Server 2008 or 2008 R2, you can still use this feature, but will need to install KB 2386717 before being able to enforce your local AD password policy in the cloud.|
Password writeback is available in releases of the Directory Sync Tool with version number 1.0.6765.6 or higher. It is recommended that you install the Directory Sync Tool with version number 1.0.6862.0000 or later.
If this version number is greater than or equal to 1.0.6862.0000, you can skip to Step 2: Enable password writeback on your Directory Sync computer.
If this is your first time installing the Directory Sync Tool, it is recommended that you follow a few best practices to prepare your environment for directory synchronization. For more information, see Prepare for directory synchronization.
Before you install the Directory Sync Tool, you must activate directory synchronization in either the Office 365 or the Azure management portals. For more information, see Activate directory synchronization.
For more information on installing or upgrading a new version of the Directory Sync Tool, see Install or upgrade the Directory Sync tool.
Step 2: Enable password writeback on your Directory Sync computer
Now that you have the Directory Sync Tool installed, you are ready to enable password writeback. You will run the Enable-OnlinePasswordWriteBack Windows PowerShell cmdlet from within an elevated Directory Sync configuration shell PowerShell session and provide the same local and cloud administrator credentials that you used for the Directory Sync configuration process.
To enable password writeback
|You must run this command with elevated admin rights, otherwise the PasswordResetService will be unable to log administrative events to the applications event log.|
|Make sure that the administrator account that you specify for AzureADCredential is a cloud administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure AD.|
Allow the operation to complete. The process to enable your tenant can take a few minutes to complete. Once the configuration succeeds, you will see the message Password reset write-back is enabled in the Windows PowerShell window. You can verify the service was installed correctly by opening Event Viewer, navigating to the application event log, and looking for event 31005 – OnboardingEventSuccess from the source PasswordResetService.
Step 3: Reset your password as a user and verify it is written back to on-premises AD
Now that password writeback has been enabled, you can test that it works by resetting the password of a user whose account has been synchronized into your cloud tenant.
How to disable password writeback
If you no longer want to use password writeback in your environment, you can disable it by running the Disable-OnlinePasswordWriteBack Windows PowerShell cmdlet from an elevated Directory Sync configuration shell PowerShell session and provide the same local and cloud administrator credentials that you used for the Directory Sync configuration process.
|You must run this command with elevated admin rights, otherwise the service will not disable correctly.|