SOLVED

Clarification on Password Writeback

%3CLINGO-SUB%20id%3D%22lingo-sub-2245623%22%20slang%3D%22en-US%22%3EClarification%20on%20Password%20Writeback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245623%22%20slang%3D%22en-US%22%3E%3CP%3EHI%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20I'm%20trying%20to%20get%20a%20better%20understanding%20of%20SSPR%20and%20Password%20Writeback%2C%20spceficically%20if%20there%20is%20any%20failover%20recommendations%20similar%20to%20running%20three%20agents%20for%20Pass-through%20Authentication.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20is%20my%20understanding%20that%20Password%20Writeback%20is%20ran%20as%20a%20service%20bus%20relay%20in%20the%20Azure%20AD%20tenant.%20Does%20this%20use%20WCF%20under%20the%20hood%20somehow%3F%20I%20wasn't%20able%20to%20find%20the%20%22PasswordResetService%22%20in%20my%20services%20window%20like%20I%20can%20the%20pass-through%20Authentication%20agent%20service.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20it%20uses%20WCF%2C%20how%20does%20that%20work%2C%20and%20how%20is%20reliability%20taken%20into%20consideration%3F%20Does%20the%20reset%20service%20run%20in%20the%20cloud%20somehow%2C%20and%20only%20the%20AD%20Sync%20service%20on%20the%20on-prem%20server%20get%20the%20messages%3F%20What%20happens%20if%20that%20on-prem%20server%20goes%20down%2C%20does%20password%20writeback%20still%20work%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2250660%22%20slang%3D%22en-US%22%3ERe%3A%20Clarification%20on%20Password%20Writeback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2250660%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3Efrom%20my%20perspective%2C%20the%20password%20will%20be%20changed%20in%20the%20Azure%20AD%20and%20this%20inform%20the%20Azure%20AD%20Connect%20service%20about%20the%20password%20change.%20The%20AAD%20connect%20inform%20the%20DC%20about%20the%20password%20change.%20When%20the%20AAD%20connect%20isn't%20available%2C%20the%20password%20cannot%20write%20back%20to%20the%20domain.%20The%20service%20needs%20AAD%20connect.%3C%2FLINGO-BODY%3E
New Contributor

HI,

So I'm trying to get a better understanding of SSPR and Password Writeback, spceficically if there is any failover recommendations similar to running three agents for Pass-through Authentication.

It is my understanding that Password Writeback is ran as a service bus relay in the Azure AD tenant. Does this use WCF under the hood somehow? I wasn't able to find the "PasswordResetService" in my services window like I can the pass-through Authentication agent service.

If it uses WCF, how does that work, and how is reliability taken into consideration? Does the reset service run in the cloud somehow, and only the AD Sync service on the on-prem server get the messages? What happens if that on-prem server goes down, does password writeback still work?

Thank you!

3 Replies
Hi,
from my perspective, the password will be changed in the Azure AD and this inform the Azure AD Connect service about the password change. The AAD connect inform the DC about the password change. When the AAD connect isn't available, the password cannot write back to the domain. The service needs AAD connect.
best response confirmed by cmeyer1285 (New Contributor)
Solution

Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the cloud, Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real-time.

 

Password Writeback will support below cloud authentication method-

1) Password Hash synchronization (PHS)
2) Password through Authentication (PTA)
3) ADFS

 

Seshadrr_0-1617369232720.png

 

Once the Password wite back feature is enabled, the sync engine calls the writeback library to perform the configuration (onboarding) by communicating to the cloud onboarding service. Any errors encountered during onboarding or while starting the Windows Communication Foundation (WCF) endpoint for password writeback results in errors in the event log, on your Azure AD Connect the machine

@SeshadrrThank you! That clarifies a lot for me. I understand now that the writeback service runs in the cloud as a WCF service. That was the main point of clarification I was looking for.