Self Service Password Reset writeback to Windows Server AD using DirSync

As soon as I heard about password sync for DirSync, my first feature request was password write back. It’s been just about a year since password sync capabilities were added to DirSync and how we have password reset writeback available in public preview. There are a couple of caveats that we need to cover, but for the most part this feature is here and ready to go.

To use password writeback, you need to install this version of DirSync. This feature is in public preview, so it is not officially supported by Microsoft yet and you will need to upgrade to the final DirSync bits once general availability is announced.

The biggest caveat for password writeback is that it requires an Azure Active Directory Premium subscription. Azure Active Directory Premium is an add-on feature to Azure Active Directory that allows for more advanced features, and carries an additional licensing cost. You can learn more about Azure Active Directory Premium by following this link. There are a number of features in AAD Premium that may be worth investigating, so I’ll talk about them in a future blog post. For now, let’s concentrate on password writeback.

The notable features of password writeback are

1. Supports resetting passwords for users using ADFS and password sync.
2. Enforces your on-premises password policies.
3. Does not require any inbound firewall rules.

I think each of those feature is fairly self-explanatory. The biggest thing of note to me here is that Microsoft has always claimed that using password sync they have no access to your actual on-premises password, they only get a double hashed copy of that password. Obviously if they can write back your password to your on-premises AD, then they now have access to the plain text of your password. If that is a security concern for your organization, you should take note.

Setting up password writeback sync is pretty easy. You have to install the above listed version of DirSync, then run the Enable-OnlinePasswordWriteBack command from the DirSyncConfigShell.psc1. After that, direct your users to go to http://passwordreset.microsoftonline.com, and they will be able to reset their passwords without having to connect to your on-premises Active Directory.

This looks to be a pretty useful feature for a specific sub-set of Office 365 users.