Forum Discussion

JimWilson2000's avatar
JimWilson2000
Copper Contributor
Sep 02, 2021

Password changes in M365 Vs Azure

We have a convoluted system based on our structure. We use an LDAP system as our primary directory. That syncs with on prem AD which then syncs to Azure. This is all designed one way and is not back writable.

Sometimes, our students cannot access their Microsoft licensing and the helpdesk changes their password in M365 admin portal. This breaks our SSO because then their M365 password is not getting synced properly.

My main issue is wondering why the password is not getting changed back to what it should be when on prem AD syncs to Azure. M365 uses the Azure credentials, correct? If you have questions, let me know, I can add details if needed. This has been a very evolved process.

  • JimWilson2000 If the password is changed in Azure AD, there is no record of this on the on-prem AD side. Records on-prem will not just be synced towards Azure AD, there's usually a delta sync that happens, which means nothing will be overwritten unless the record in on-prem AD is changed. Have you considered using password writeback? This way using Azure AD Connect, password changes in Azure AD will be written back into on-prem AD.

  • pvanberlo's avatar
    pvanberlo
    Steel Contributor

    JimWilson2000 If the password is changed in Azure AD, there is no record of this on the on-prem AD side. Records on-prem will not just be synced towards Azure AD, there's usually a delta sync that happens, which means nothing will be overwritten unless the record in on-prem AD is changed. Have you considered using password writeback? This way using Azure AD Connect, password changes in Azure AD will be written back into on-prem AD.

    • JimWilson2000's avatar
      JimWilson2000
      Copper Contributor
      LDAP (Oracle) is our authoritative directory based on our ERP and history. It makes sense about the delta though, I had not considered that.
      • pvanberlo's avatar
        pvanberlo
        Steel Contributor
        Unless the settings were changed, the default Azure AD Connect uses would be to do a delta sync every 30 minutes, so this is likely the cause of your problems. How about just telling the helpdesk to actually not change the password there? 😉

Resources