Friday 18 December 2015

EMS - Azure Active Directory Premium : Integration between Azure AD and on-premises using Azure AD Connect - PART 2

Hello Everyone,

This post will explain You about configuring below Azure AD Premium features:
  • Self-Service Password Reset
  • Password Writeback
  • Device Writeback
NOTE: To view above features, You must be using either Azure AD Premium or Basic. (On Trail version, You will get only trail licences to test only).

To view PART 1, Click Here!

Let's start with features and practical steps :)

Self-Service Password Reset:

This allows users to reset there by password in case if they forget the password using different verification methods.


  • Azure AD Tenant and subscription.
  • Assign Azure AD premium licence to tenants.
  • Need one administrator and one test user.

STEP 1: Activate AD Premium and assign licence to users:

Open Azure portal, Click on Your Azure AD and the click Activate Trail: (NOTE: If You have licence for Azure AD premium then You have option "Activate" instead of Activate Trail).

Click on Tick Mark: 

Successfully activated:

Click on Azure Active Directory Premium to assign licence:

Click on Assign Users:

Select Users You want to assign Licenses:

Successfully enabled:

STEP 2: Configure User Password Reset Policy:

Open Azure AD, Click on Configure Tab and drag till User password reset policy:

Click on Yes:

Change settings as per your requirements:

Click Save:

STEP 3: Set-up information for Self-service password reset feature:

After saving settings, logout and login with assigned licence user. It will prompt you to set up additional information so that in case you forget your password then You can recover it:

Click on Set it up now, You will see 2 authentication methods to verify - Mobile and Email. Click on verify to verify mobile number:

Click on either Text Me or Call Me option to get verified:

Enter OTP and Click verify:

Successfully Verified. You can change it also in future if You want. Now, Click on Set it up now to verify for Email:

Provide email to be verified and click on Email Me:

Click on Verify:

Click on Finish:

This is all done. 

Now, We will do testing for Self-Service Password reset.

STEP 4: Testing Self Service Password Reset feature:

Logout and Login again and Click on Can't access your account:

Click Next:

Here, You have 3 options: Email, Text or Call. Its upto You which method You want to verify:

After selecting Your method, You also get option to contact Your administrator if any of your method failed to get verified in any case. When You click on Contact Your administrator, an email with your details will be sent to administrator and verify You. After validation, administrator only will change Your password and you will be notify with new password on your alternative email address:

After get verification, you are asked to provide new password:

Click Finish:

After reset password, now login again with new password and Yes You can login:

Password Writeback:

This will allow users to change and reset passwords in the cloud and have on-premises password policy applied. 


  • Azure AD Tenant and subscription.
  • Password reset should be configured. (done above)
  • Require on-premises AD.
  • Azure AD Connect tool latest version must be installed.
  • TCP Port 443 and TCP 9350-9354 must be opened for Azure AD Sync.

STEP 1: Install Azure AD Connect:

Already done in previous part (Click Here).

STEP 2: Enable Password writeback in Azure AD Connect:

Open You Azure AD Connect, Select Customise synchronization options and click next:

Provide azure admin credentials and click next:

Provide on-premises AD credentials and Click next:

Tick mark for Password writeback and click next:

Click Install:

Click Exit:

Check for Event ID 904:

STEP 3: Configure Active Directory permission:

When You install azure AD connect tool then one account is created in AD. That account needs below permissions to perform writeback:
  • Reset Password
  • Change Password
  • Write permission on lockout time
  • Write permission on pwdLastSet
To see which Azure account is created in AD and needs permission, Open Azure AD Connect, click on View Current configuration and Click next:

Click on Review your solution and see account name under Account section:

Now, Open Active directory users and computers and Select Advance features in View tab:

Right Click on Your domain and click on properties. After that Click on Security Tab and then click on Advance:

Select User, Change Applies to Descendant Users Objects and set required permissions:

After giving permissions, Click Apply to change settings.

STEP 4: Test writeback:

To test, user has to Login Here.

On login page, he has to provide email ID and choose verification method to verify. After that he can able to reset the password.

After reset, Login to server where Azure AD connect is installed and check for Event ID: 6329.

NOTE: IF you have created only one test user and already reset password during testing for Self-service password reset configuration then You can not change the password for that User till 24 hours (1 Day) as per default group policy settings in AD. So to test for writeback feature on the same user, You have to either change the default group policy setting to 0 day (Minimum Password age) else You have to wait for next day ... :)

Device Writeback:

This will allow a device registered in Azure AD to be written back in your on-premises AD so that it can be used for conditional access.

STEP 1: Install Azure AD Coonect:

This is already done.

STEP 2: Configure Azure AD Connect for Device writeback:

Open Azure AD Powershell Module and run below scripts:

Install-WindowsFeature –Name AD-DOMAIN-Services –IncludeManagementTools

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1'

Initialize-ADSyncDeviceWriteback {Optional:–DomainName [name] Optional:-AdConnectorAccount [account]}

Domain name will on-premises AD and account will be used which is created during Azure AD connect installation which will be like MSOLxxxxxx.

STEP 3: Enable Device writeback in Azure AD Connect:

Open Azure AD Connect, Select customise synchronization options and click next:

Validate by providing Azure and on-premises AD credentials and select Device Writeback, Click Next:

Click Install:

This is done. If You have any device on Azure AD then it will be written back in on-premises AD as well.

To use conditional access, follow the link: Click here!

In my next post, I will share below Azure AD Features:
  • Multi-factor Authentication (Cloud and on-premises)
  • Other features like Group Writeback, Prevent accidental deletes etc
Happy Reading!!!

If You like my blogs then follow me for updates:

Join my Facebook group for updates on trending technologies/technical references/issues etc:

No comments:

Post a Comment