How to enable password writeback for Entra Connect (AADConnect) #
PROMPT: You are trying to enable password writeback but changing the permissions is a big hassle or is just not working.
Resources: #
MS Learn on SSPR
MS Learn on permissions
Prerequisites: #
- You have already set up Entra Connect for your domain.
- You are using the Connect Sync agent.
- You know the service account used by Entra Connect.
Steps: #
- Open up PowerShell as an Administrator on the Entra Connect device.
- Install the AD DS RSAT tools with the following command:
Install-WindowsFeature RSAT-AD-Tools
- Run the following command to load the ADSyncConfig module
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
- We can now use the module to automatically set the needed permissions on the service account with this command:
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN 'account-distinguished-name'
- With permissions configured, we can now enable password writeback in Entra Connect. Open the Entra Connect application and then click Configure
- Under Customize Synchronization Options after entering credentials for a Global Admin account, we can skip to optional features. Then we can enable Password Writeback
- After we have clicked Configure, and configuration is complete, we can close out of the Entra Connect application.
- Open the Entra Admin Center for the given tenant as a Global Admin.
- Under Protection -> Password Reset -> On-Premises Integration Check the option for Write back passwords to your on-premises directory. You may also check the option for ‘Allow users to unlock accounts without resetting their password’ if you wanted this functionality. Make sure the ‘Write back passwords with Microsoft Entra Connect Cloud Sync’ remains unchecked, since that does not apply to this scenario.
- Click Save to apply changes.
- Navigate to Protection -> Password Reset -> Properties. If you haven’t already set self-service password reset to either Selected or All, please do so at this time depending on your user scope.