Forgotten password Or Account Lockout?

This article will help you to gain an insight into a feature of Azure Active Directory called Self Service Password Reset (SSPR).

Before jumping ahead into Password Writeback, let us first understand about SSPR.

What is SSPR?

Self-service password reset (SSPR) offers a simple means for IT administrators to empower their users to reset or unlock their own passwords or accounts without IT intervention.

Prerequisites of SSPR?

You must have a functional Azure AD tenant with an enabled trial license or one of the Premium Plans.
An account with Global Administrator privileges.
An Azure AD Premium P1 or trial license for on-premises Password Writeback.

Benefits of SSPR in Azure AD

With SSPR, administrators are allowed to implement any updated security changes to the user accounts without affecting their sign in process.
With an intuitive one-time user registration process, the users manage the password reset, block or unblock accounts from anywhere.
Chances of social engineering attacks & identity theft are reduced, as SSPR ensures that password problems are only resolved after adequate user authentication.

What is the difference between SSPR & Password Writeback?

Azure AD SSPR lets users reset their passwords in the cloud. Password Writeback is a feature enabled with Azure AD Connect or cloud sync that allows password changes in the cloud to be written back to an existing on-premises directory in real time.

What is Password Writeback?

Password Writeback is a feature of Azure AD Connect. It ensures that when a password changes in Azure AD (SSPR, or an administrative change) it is written back to the local AD.

Password Writeback Troubleshooting

Following troubleshooting steps may help if you are having problems with SSPR writeback.

Restart the Azure AD Connect Sync Service

Log on to the server that runs Azure AD Connect, as an administrator.
Type Windows + R to Run & enter services.msc in the search field.

Search for the Microsoft Azure AD Sync entry.

Right-click the service entry, select Restart & wait for the operation to finish.

These steps will help to re-establish your connection with Azure AD & should resolve connectivity issues.

Verify Azure AD Connect Required Permissions

AD DS Reset Password permission is required to perform password writeback. To check it for a given on-premises Ad DS user account, use the following:

First sign into the Azure AD Connect server & start Synchronization Service Manager by clicking Start -> Synchronization Service.
Under the Connectors tab, select the on-premises AD DS connector & then select Properties.

Choose Connect to AD Forest & write down the Username property, which is used by Azure AD Connect to perform directory synchronization.

Sign in to on-premises domain controller & start the Active Directory Users and Computers application.
Select View & check Advanced features option is enabled.

Look for the AD DS user account you want to verify. Right-click the account name & select Properties.

After that go to Security tab & select Advanced.

Choose Effective Access tab in the pop-up window displayed.

Choose Select a user, select the AD DS account used by Azure AD Connect & then select View effective access.
After clicking on View effective access tab, scroll down & look for Reset Password. If the entry has the check mark, the AD DS account has permission to reset the password of the selected AD user account.

Next Steps:

Install the latest Azure AD Connect Release

Downloading the latest version of Azure AD Connect & following the on-screen instructions to update it, should help you to resolve connectivity issues if in case the above two resolutions didn’t work.

Conclusion:

In conclusion, navigating the realm of self-service password reset and password writeback in Azure Active Directory doesn’t have to be a labyrinthine challenge. With our comprehensive troubleshooting guide, you’re ready to effortlessly master these important functionalities and say goodbye to password-related hassles and increased security and user empowerment.