You are currently viewing Part 15 – Self Service Password Reset and Writeback

Part 15 – Self Service Password Reset and Writeback

In our previous post, we successfully configured Microsoft Entra ID Connect. Now, let’s explore how users can reset their passwords in the cloud and have these changes synchronized with Active Directory.

Before we dive into the configuration, let’s understand two different methods for changing passwords:

1. Default Method

By default, every user can change their password in the cloud. However, users must know their current password to change it. This poses a problem for helpdesk teams. For instance, if a user forgets their password, they must contact the helpdesk team for a reset.

 

2. Self Service Password Reset (SSPR) + Password Writeback

This method is more user-friendly as users don’t need to know their current password. Users authenticate using additional elements like phone numbers, SMS, etc. The Password Writeback feature then syncs the new password back to Active Directory. If Password Writeback was disabled, users would have two passwords – one for cloud login and another for on-premise login. However, when the password is synced, the user has a unified password, simplifying the sign-in process.

For example, if a user forgets their password, they can reset it without contacting the helpdesk team. They must verify their identity with additional elements like a phone number or SMS. After this procedure, the password is automatically synced back to Active Directory.


Now, let’s enable Password Writeback:

Open the Microsoft Entra admin center and navigate to password reset.

 

Specify the users for whom you want to enable Self-Service Password Reset.

 

Choose the number of methods required to reset the password. If multiple options are ticked in the methods menu, users can choose which method they will use for authentication.

 

Adjust the notifications settings.

 

Set up on-premise integration.

 

Now, let’s configure Password Writeback Permission:

Navigate to Active Directory Users and Computer. Right-click on the domain and choose properties.

 

Open the Security Tab and click Advanced.

 

Add a new principal. Search for the MSOL user. The MSOL account in Microsoft Entra Connect is used to connect to and manage the on-premises Active Directory and Microsoft Entra ID.

 

Add permission:

  • Applies to: Descant User objects
    • Reset password
    • Write all properties

 

Hit Apply.

 

Again add the MSOL user.

 

Add permissions:

  • Applies to: This objects and all descendant objects
    • Unexpire password

Then click ok and apply all changes. When you update permissions, it might take up to an hour or more for these permissions to replicate to all the objects in your directory.

 

Next, adjust the Password Writeback Group Policy Settings:

Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for Minimum password age must be set to 0.

This setting is part of the Default Group Policy setting and the value is set to 1, meaning that users can change their password only once per day

 

 

We need to change that value to 0. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Account and change the value to 0.

 

Finally, enable Microsoft Entra Connect Password Writeback:

Open the Microsoft Entra Connect Configuration Wizard. Click Configure.

 

Click Customize synchronization options.

 

Tick the password writeback option then click configure. Password Writeback will be enabled.

 

And that’s it! You’ve now set up Password Writeback and Self Service Password Reset.

See yaa in the next blog post 🙂

Leave a Reply