In this post we will enable password writeback and self-service password reset in Azure AD.

If enabled, users can update their synced on-premises password or unlock their synced on-premises account using a web browser and the Azure portal.

Password writeback can be used to synchronize password changes in Azure AD back to your on-premises AD DS environment. Azure AD Connect provides a secure mechanism to send these password changes back to an existing on-premises directory from Azure AD.


To enable password writeback and self-service password reset you should have at least an Azure AD Premium P1 or trial licence enabled in your tenant.

Configure account permissions for Azure AD Connect

The first thing we will need to do, is to grant the account specified in Azure AD Connect the appropriate permissions and options to.

Therefore open Azure AD Connect and first check what account is used.

Here you will see what on-premise account is running the synchronization, in my case the BRAINTESTING.DE\MSOL_……. account.

Now we can open the Active Directory Users and Computers console to grant the permissions and options to this account, which are needed for password writeback and self-service password reset.

From the View menu, make sure that Advanced features are turned on.

Right click on the domain and select Properties.

In the Security tab click on Advanced and in the next window click on Add.

For Principal, select the account that permissions should be applied to (the account used by Azure AD Connect).

In the Applies to drop-down list, select Descendant User objects.

Under Permissions, select the box for the following option: Reset password

Under Properties, select the boxes for the following options. Scroll through the list to find these options, which may already be set by default:

  • Write lockoutTime
  • Write pwdLastSet

When ready, select Apply / OK to apply the changes and exit any open dialog boxes.

When you update permissions, it might take up to an hour or more for these permissions to replicate to all the objects in your directory.

Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for Minimum password age must be set to 0. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies.

Enable password writeback in Azure AD Connect

To enable password writeback in Azure AD Connect, click on Customize synchronization options.

Under Optional features you have to check Password writeback.

On the Ready to configure page, select Configure and wait for the process to finish.

Enable password writeback for self-service password reset (SSPR)

With password writeback enabled in Azure AD Connect, now configure Azure AD SSPR for writeback. When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well.

To enable password writeback in SSPR open the Azure portal an navigate to the Azure AD.

Select Password reset.

Select On-premises integration.

Write back passwords to your on-premises directory? to Yes.

Allow users to unlock accounts without resetting their password? to Yes.

Finally click Save.


Tutorial: Enable Azure Active Directory self-service password reset writeback to an on-premises environment