Self Service Password Reset with on-premises writeback in Microsoft 365 Business

Earlier this year we announced support for on premises Active Directory in Microsoft 365 Business. To facilitate identities mastered on Active Directory, we are excited to announce Self-Service Password Reset with on-premises writeback capability in Microsoft 365 Business.


Self Service Password Reset (SSPR) is a feature already included in Microsoft 365 Business, that allows users to change their password in the cloud.  Password writeback is a complimentary feature that enables those password changes to be written back to an existing on-premises directory in real time.  This simplifies password operations and helps ensure consistent application of password policies. 


Here are the steps to roll out Self Service Password Reset with writeback for Microsoft 365 Business customers:


  1. Develop a SSPR roll-out Strategy: To ensure a smooth rollout of the Azure Active directory (Azure AD) self-service password reset (SSPR) functionality, it is often helpful to develop a roll strategy that involves educating users & piloting it with a small subset of users. Learn more in this how-to guide

  2. Pre-populate authentication data: In order to reset their passwords, users need to provide some form of authentication (phone or email) first. You should consider pre-populating some authentication data for your users. That way users don't need to manually register for password reset before they are able to use SSPR. Some organizations have their users enter their authentication data themselves. But many organizations prefer to synchronize with data that already exists in Active Directory. Learn more about pre-registering authentication data

  3. Configuring Password write back: Once you’ve completed the above steps, you can configure SSPR by enabling ‘Password Writeback’ in Azure Active Directory Connect as described in this article



We would love to get more feedback on how we can make enabling SSPR easier for SMB organizations and enhancing Azure AD capabilities in Microsoft 365 Business. For more information on features supported in Microsoft 365 Business, please visit the Microsoft 365 Business Service Description at aka.ms/m365bsd


Super Contributor

Last time i read about password writeback it required Azure AD Premium. Maybe M365 Business already includes that? If not, it is useful to mention additional costs.


Hi Oleg,


M365B does not include AAD P1 but the SSPR writeback functionality is now natively part of M365B and so there is no additional costs to enable SSPR writeback in M365B

Regular Visitor

Hi, would this work in O365 A1 licenses also, or would it need AAD P1 to work with O365 A1?


This is great news and we have been waiting for this! Is this feature already enabled for all MS 365 Business subscriptions? I can confirm we all have licenses, I have enabled password writeback in Azure AD Connect, even verified the proper permissions on the AD sync account, but the portal still claims it is not enabled. Do you have any guidance?


Annotation 2019-01-11 004002.jpg

Occasional Visitor
I also get the same issue as Skip Mercier. My company is on Office 365 Business Premium. Support is unaware of the extending of SSPR to Office 365 Business Plans. Not sure if this feature is rolled out to all tenants and all datacentre's. According to Ashanka: "no additional costs to enable SSPR writeback in M365B" Support insists on Azure AD Premium Licenses. But this is additional costs.

@mildude, it is not available with Office 365 Business premium, but Microsoft 365 Business, which is a more comprehensive bundle


@Ashanka Iddya, This is welcome news to us fans of the M365B subscription--this helps to complete the hybrid support which was announced last year. However, with regard to Azure AD Premium P1 features--I am not alone in believing that Conditional Access must also be part of this subscription. For example, it is possible to setup device and application management policies but there is no way to enforce them using Conditional Access. So I can create policies but nobody knows about them unless they enroll with the Intune app. Silly. I'm sure you have heard it before, but just thought I'd send another nudge out there. Thank you again, for this announcement!

Occasional Visitor

I agree with VanVFields - including SSPR with WriteBack is really good, but the most troublesome part for us getting volumes of MS365B is that Conditional Access is missing. Even if it comes with a minor price-adjustment it is really a showstopper today.