Azure Active Directory Password Reset

There are three services available with Azure Active Directory:

• Active Directory Free - With the Free edition of Azure AD, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.
• Active Directory Basic - Azure AD Basic provides the application access and self-service identity management requirements of task workers with cloud-first needs. With the Basic edition of Azure AD, you get all the capabilities that Azure AD Free has to offer, plus group-based access management, Self-Service Password Reset for cloud applications, customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime. An administrator with Azure AD Basic edition can activate an Azure Active Directory Premium trial.
• Active Directory Premium - With the Premium edition of Azure AD, you get all of the capabilities that Azure AD Free and Azure AD Basic have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

To configure Azure Active Directory premium, the service must be enabled within the Microsoft Azure portal and the Dirsync tool needs to support and be configured to support password writeback.

Configure Azure Active Directory Premium

How to enable Azure Active Directory Premium

Before starting please note that Azure Active Directory Premium is only available through an Enterprise Agreement. The following steps are for signing up for Active Directory Premium:

• Go to the Windows Azure management portal: http://manage.windowsazure.com
• Go to Active Directory
• Select your Directory
• Sign Up for features in preview
• Select Windows Azure Active Directory Premium
• Connect it to a Subscription

            Once the signup is complete go back to Azure Active directory and there will be a button to Enable Active Directory Premium. Select the number of contacts methods that are required, and define which contact methods are available to users.

User Registration with Azure Active Directory Premium

The registration URL is: https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx Once there:

• Enter a mobile number
• Choose whether to be notified via text or an automated call
• Enter the received code

  Once this is done, the password reset function is available by going to https//login.microsoftonline.com and clicking on Can’t access your account. This will direct the user to enter his/her username & the captcha shown on the screen. Once complete, click Next.         Now follow the instructions for the password reset procedure and click Next           Select whether to be contacted by text or automated call and Click Next. Enter the verification code received either from a automated call or text message.         After entering a valid verification code, the user will be prompted to enter their new password.  

Password writeback overview

Password writeback is a Directory Sync Tool component that can be enabled and used by the current subscribers of Azure Active Directory Premium. It allows you to configure your cloud tenant to write passwords back to you on-premises Active Directory. It obviates you from having to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are.

• Supports resetting passwords for users using AD FS or other federation technologies. With password writeback, as long as the federated user accounts are synchronized into your Azure AD tenant, they will be able to manage their on-premises AD passwords from the cloud.
• Supports resetting passwords for users using password hash sync. When the password reset service detects that a synchronized user account is enabled for password hash sync, we reset both this account’s on-premises and cloud password simultaneously.
• Enforces your on-premises AD password policies. When a user resets his/her password, we make sure that it meets your on-premises AD policy before committing it to that directory.
• Doesn’t require any inbound firewall rules. Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work.
• Is not supported for user accounts that exist within protected groups in your on-premises Active Directory.

How to enable password writeback

This section walks you through configuring password reset to write passwords back to an on-premises AD.

Password writeback prerequisites

Before you can enable and use the password writeback, you must make sure you complete the following prerequisites:

• You have an AAD tenant with Azure AD Premium enabled.
• Password reset has been configured and enabled in your tenant..
• You have at least one administrator account and one test user account with an Azure AD Premium license that you can use to test this feature.

Note

Make sure that the administrator account that you use to enable password writeback is a cloud administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure AD.

• You have a single forest AD on-premises deployment running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with the latest service packs installed.

Note

If you are running an older version of Windows Server 2008 or 2008 R2, you can still use this feature, but will need to install KB 2386717 before being able to enforce your local AD password policy in the cloud.

• You have the Directory Sync Tool installed and you have prepared your AD environment for synchronization to the cloud.
• If your organization’s firewall is configured to block outbound connections, you must unblock TCP port 828 or 818 in order to enable and use the password writeback.

Step 1: Install or upgrade Directory Sync Tool to version 1.0.6862.0000 or later

Password writeback is available in releases of the Directory Sync Tool with version number 1.0.6765.6 or higher. It is recommended that you install the Directory Sync Tool with version number 1.0.6862.0000 or later.

To check your Directory Sync Tool version number

1. Navigate to %ProgramFiles%/Azure Active Directory Sync/
2. Find the exe executable.
3. Right click the executable and select the Properties option from the context menu.
4. Click on the Details
5. Find the File version

If this version number is greater than or equal to 1.0.6862.0000, you can skip to Step 2: Enable password writeback on your Directory Sync computer. If this is your first time installing the Directory Sync Tool, it is recommended that you follow a few best practices to prepare your environment for directory synchronization. For more information, see Prepare for directory synchronization. Before you install the Directory Sync Tool, you must activate directory synchronization in either the Office 365 or the Azure management portals. For more information, see Activate directory synchronization. For more information on installing or upgrading a new version of the Directory Sync Tool, see Install or upgrade the Directory Sync tool. Step 2: Enable password writeback on your Directory Sync computer Now that you have the Directory Sync Tool installed, you are ready to enable password writeback. You will run the Enable-OnlinePasswordWriteBack Windows PowerShell cmdlet from within an elevated Directory Sync configuration shell PowerShell session and provide the same local and cloud administrator credentials that you used for the Directory Sync configuration process. To enable password writeback

1. Do one of the following:
   1. If your Directory Sync Tool version is 1.0.6862.0000 or later, load the Directory Sync PowerShell module by running Import-Module DirSync, then skip down to step 4, and then complete the rest of the steps in this procedure.
   2. If your Directory Sync Tool version is older than 1.0.6862.0000, continue with step 2 and then complete the rest of the steps in this procedure.
2. On your Directory Sync computer, open a new elevated explorer window and navigate to the %ProgramFiles%\Azure Active Directory Sync
3. Find the psc1 file and run it with elevated admin rights. This will open a new Directory Sync configuration PowerShell console.

Note

You must run this command with elevated admin rights, otherwise the PasswordResetService will be unable to log administrative events to the applications event log.

4. Once the PowerShell console opens, type Enable-OnlinePasswordWriteBack in the command prompt and press Enter. This will start the configuration process to enable password writeback for your Azure AD tenant.
5. When prompted to enter a value for LocalADCredential, use the same Enterprise Administrator credentials you used when you configured Directory Sync.
6. When prompted to enter a value for AzureADCredential, use the same Azure Active Directory credentials you used when you configured Directory Sync.

Note

Make sure that the administrator account that you specify for AzureADCredential is a cloud administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure AD.

Allow the operation to complete. The process to enable your tenant can take a few minutes to complete. Once the configuration succeeds, you will see the message Password reset write-back is enabled in the Windows PowerShell window. You can verify the service was installed correctly by opening Event Viewer, navigating to the application event log, and looking for event 31005 - OnboardingEventSuccess from the source PasswordResetService. Step 3: Reset your password as a user and verify it is written back to on-premises AD Now that password writeback has been enabled, you can test that it works by resetting the password of a user whose account has been synchronized into your cloud tenant.

1. Navigate to http://passwordreset.microsoftonline.com or go to any organizational ID login screen and click the Can’t access your account? link.

         

1. You should now see a new page which asks for a user ID for which you want to reset a password. Enter your test user ID and proceed through the password reset flow.
2. After you reset your password, you will see a screen that looks similar to this. It means you have successfully reset your password in your on-premises and/or cloud directories.

   

4. To verify the operation was successful, go to your Directory Sync computer, open Event Viewer, navigate to the application event log, and look for event 31002 - PasswordResetSuccess from the source PasswordResetService for your test user.

How to disable password writeback If you no longer want to use password writeback in your environment, you can disable it by running the Disable-OnlinePasswordWriteBack Windows PowerShell cmdlet from an elevated Directory Sync configuration shell PowerShell session and provide the same local and cloud administrator credentials that you used for the Directory Sync configuration process.

1. On your Directory Synch computer, open a new elevated explorer window and navigate to the %ProgramFiles%\Azure Active Directory Sync
2. Find the psc1 file and run it with elevated admin rights. This will open a new Directory Sync configuration PowerShell console.

Note

You must run this command with elevated admin rights, otherwise the service will not disable correctly.

3. In the Windows PowerShell console, type Disable-OnlinePasswordWriteBack and press Enter. This starts the process of disabling password writeback for your Azure AD tenant.
4. When prompted to enter a value for LocalADCredential, enter the same Enterprise Administrator credentials you used when you configured Directory Sync and press Enter.
5. When prompted to enter a value for AzureADCredential, enter the same Azure Active Directory credentials you used when you configured Directory Sync and press Enter.
6. Once the configuration succeeds, you will see the message Password reset write-back is disabled in the Windows PowerShell prompt. Azure Active Directory Password Reset