Self Service Password Reset with on-premises writeback in Microsoft 365 Business
Published Jan 09 2019 12:00 PM 39.4K Views
Microsoft

Earlier this year we announced support for on premises Active Directory in Microsoft 365 Business. To facilitate identities mastered on Active Directory, we are excited to announce Self-Service Password Reset with on-premises writeback capability in Microsoft 365 Business.

 

Self Service Password Reset (SSPR) is a feature already included in Microsoft 365 Business, that allows users to change their password in the cloud.  Password writeback is a complimentary feature that enables those password changes to be written back to an existing on-premises directory in real time.  This simplifies password operations and helps ensure consistent application of password policies. 

 

Here are the steps to roll out Self Service Password Reset with writeback for Microsoft 365 Business customers:

 

  1. Develop a SSPR roll-out Strategy: To ensure a smooth rollout of the Azure Active directory (Azure AD) self-service password reset (SSPR) functionality, it is often helpful to develop a roll strategy that involves educating users & piloting it with a small subset of users. Learn more in this how-to guide

  2. Pre-populate authentication data: In order to reset their passwords, users need to provide some form of authentication (phone or email) first. You should consider pre-populating some authentication data for your users. That way users don't need to manually register for password reset before they are able to use SSPR. Some organizations have their users enter their authentication data themselves. But many organizations prefer to synchronize with data that already exists in Active Directory. Learn more about pre-registering authentication data

  3. Configuring Password write back: Once you’ve completed the above steps, you can configure SSPR by enabling ‘Password Writeback’ in Azure Active Directory Connect as described in this article

 enablepasswordwriteback.png

 

We would love to get more feedback on how we can make enabling SSPR easier for SMB organizations and enhancing Azure AD capabilities in Microsoft 365 Business. For more information on features supported in Microsoft 365 Business, please visit the Microsoft 365 Business Service Description at aka.ms/m365bsd

 

22 Comments
Silver Contributor

Last time i read about password writeback it required Azure AD Premium. Maybe M365 Business already includes that? If not, it is useful to mention additional costs.

Microsoft

Hi Oleg,

 

M365B does not include AAD P1 but the SSPR writeback functionality is now natively part of M365B and so there is no additional costs to enable SSPR writeback in M365B

Copper Contributor

Hi, would this work in O365 A1 licenses also, or would it need AAD P1 to work with O365 A1?

Copper Contributor

This is great news and we have been waiting for this! Is this feature already enabled for all MS 365 Business subscriptions? I can confirm we all have licenses, I have enabled password writeback in Azure AD Connect, even verified the proper permissions on the AD sync account, but the portal still claims it is not enabled. Do you have any guidance?

 

Annotation 2019-01-11 004002.jpg

Copper Contributor
I also get the same issue as Skip Mercier. My company is on Office 365 Business Premium. Support is unaware of the extending of SSPR to Office 365 Business Plans. Not sure if this feature is rolled out to all tenants and all datacentre's. According to Ashanka: "no additional costs to enable SSPR writeback in M365B" Support insists on Azure AD Premium Licenses. But this is additional costs.

@mildude, it is not available with Office 365 Business premium, but Microsoft 365 Business, which is a more comprehensive bundle

@Ashanka Iddya, This is welcome news to us fans of the M365B subscription--this helps to complete the hybrid support which was announced last year. However, with regard to Azure AD Premium P1 features--I am not alone in believing that Conditional Access must also be part of this subscription. For example, it is possible to setup device and application management policies but there is no way to enforce them using Conditional Access. So I can create policies but nobody knows about them unless they enroll with the Intune app. Silly. I'm sure you have heard it before, but just thought I'd send another nudge out there. Thank you again, for this announcement!

Copper Contributor

I agree with VanVFields - including SSPR with WriteBack is really good, but the most troublesome part for us getting volumes of MS365B is that Conditional Access is missing. Even if it comes with a minor price-adjustment it is really a showstopper today.

Copper Contributor

We have deployed over 100 PC width Windows 10 and Microsoft 365 Business licences and we can not enable password writeback. 

MS support tells us that this functionality needs an Azure AD P1. 

Could someone explain me what I miss?

thanks!

Copper Contributor

Have you enabled all settings both in the cloud, and on-premises?  See this article: 

 

https://www.itpromentor.com/sspr-m365b/

 

Silver Contributor

I wonder what about Office 365 E3. A year or so ago i have read that it needs Azure AD P1 for writeback and never looked into this again. Maybe Office plans have more limited Azure AD functionality.

Copper Contributor

That is correct. Office 365 E3 does not have SSPR for hybrid accounts. This was only available in Azure AD Premium until very recently, when it was released into Microsoft 365 Business. M365B has always been a strange beast—more than Azure AD that is included with Office 365 but it is also not quite the full AAD P1 either. Stands alone as something unique and in between. Azure AD Plus maybe. Personally, i don’t understand why they didn’t just make this subscription a couple more dollars and include the full EMS E3 SKU with AAD P1, especially for Conditional access. If I had it to pick any of the P1 features I would prioritize that one alone. On-prem/hybrid is going to be dead in another year or two anyways in the small business, so who cares about pw write back? Join your PC’s to Azure AD, and go cloud only accounts. On prem can fade into legacy—there to support an app maybe, like Quickbooks and nothing more.

Silver Contributor

Well, it depends. I'm all for an agile cloud infrastructure and modern apps, but some companies are too entrenched and slow to evolve. Nice blog, btw. Will have to read more articles ;)

Copper Contributor

@AlexFields Yes, I followed the instructions but at the end, the portal still claims that I can not enable on premise write back. 

Same issue that @Skip Mercier 

Copper Contributor

Yeah that doesn’t sound right. You get an error in the online portal, not from the AAD connect tool? Did you do a search on that error? And MS support is still not aware that this feature is indeed supported in the subscription, huh? No surprise there I suppose. Point them to this article if you still have that ticket open. You should be able to get it’s working. All of my tenants have AAD P1, since I push CA so much... so I can’t test it. But will be interesting to hear what you find!

Copper Contributor

@Emmanuel705 Something is definitely broken on MS side. I suspect it has something to do with the way M365 has partial AAD P1. However, I contacted support and we got it working by signing up for a trial of AAD P1, assigning the licenses, enabling writeback in portal, unassigning the licenses, and confirming it stays enabled.

Microsoft

@Emmanuel705  could you send me your support case number? we'll look into this. Yes you are entitled to SSPR with M365B. We'd like to investigate and see where things are not working. You don't need AADP1 to enable SSPR for Microsoft 365 Business subscribers. It is natively in the service. 

@Emmanuel705 @AlexFields @Skip Mercier @Ashanka Iddya @wroot 

 

I have tested & confirmed that password writeback works in Microsoft 365 Business.  Please follow the configuration guidance up to the last step titled "Enable password writeback option in SSPR".  I found that we have a user interface bug on this configuration page that greys it out; however, it is actually enabled if everything else is done.  Once we fix the UI bug, you'll be able to disable password writeback from this page.

 

Here is a short checklist for enabling SSPR with password writeback in M365B:

 

• Azure AD Connect 1.2.70.0 installed and configured for password hash sync
• Password Writeback enabled on the 'Optional features' screen in Azure AD Connect
• Self Service Password Reset enabled for users in Azure AD
• AD Permissions added for the Azure AD Connect Sync account (MSOL_xxxxxxxxxxxx)

 

Setup guidance:

1. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback#configur...

2. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

3. https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-writeback (Disregard the Enable password writeback option in SSP step if using M365 Business)

4. https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows (Optional)

 

Hope this helps!

 

David Bjurman-Birr

Copper Contributor

@Ashanka IddyaHere is the SR number : 119031123001970

For information, as @Skip Mercier recommended, I subscribed a Azure AD P2 Trial and the "enabled premise integration" is now available.

It seems to confirm what @David Bjurman-Birr told about an UI bug in the portal.

I am doing some tests and come back to give news.

Copper Contributor

@Ashanka Iddya @David Bjurman-Birr The password write back works now. I just hope that when the Azure AD P2 trial expires, this will continue to work.

Copper Contributor

Hello @Emmanuel705 is it still working after Azure AD P2 trail expired ? I've issues to set up password write back. Thank you in advance !

Copper Contributor

Hello @areku95 ,

Yes on my side, the Azure AD P2 trial expired and the password write back functionnality is still working.

We have setup password write back on our AD Azure Connect on premise side, setup the functionnality on Azure AD side and it works fine.

We have Microsoft 365 Business licence.

What is your issue ?

Version history
Last update:
‎Jan 09 2019 12:34 PM
Updated by: