SOLVED

Password changes in M365 Vs Azure

%3CLINGO-SUB%20id%3D%22lingo-sub-2712064%22%20slang%3D%22en-US%22%3EPassword%20changes%20in%20M365%20Vs%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2712064%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20convoluted%20system%20based%20on%20our%20structure.%20We%20use%20an%20LDAP%20system%20as%20our%20primary%20directory.%20That%20syncs%20with%20on%20prem%20AD%20which%20then%20syncs%20to%20Azure.%20This%20is%20all%20designed%20one%20way%20and%20is%20not%20back%20writable.%3C%2FP%3E%3CP%3ESometimes%2C%20our%20students%20cannot%20access%20their%20Microsoft%20licensing%20and%20the%20helpdesk%20changes%20their%20password%20in%20M365%20admin%20portal.%20This%20breaks%20our%20SSO%20because%20then%20their%20M365%20password%20is%20not%20getting%20synced%20properly.%3C%2FP%3E%3CP%3EMy%20main%20issue%20is%20wondering%20why%20the%20password%20is%20not%20getting%20changed%20back%20to%20what%20it%20should%20be%20when%20on%20prem%20AD%20syncs%20to%20Azure.%20M365%20uses%20the%20Azure%20credentials%2C%20correct%3F%20If%20you%20have%20questions%2C%20let%20me%20know%2C%20I%20can%20add%20details%20if%20needed.%20This%20has%20been%20a%20very%20evolved%20process.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2712064%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAD%20sync%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2712137%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20changes%20in%20M365%20Vs%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2712137%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1144692%22%20target%3D%22_blank%22%3E%40JimWilson2000%3C%2FA%3E%26nbsp%3BIf%20the%20password%20is%20changed%20in%20Azure%20AD%2C%20there%20is%20no%20record%20of%20this%20on%20the%20on-prem%20AD%20side.%20Records%20on-prem%20will%20not%20just%20be%20synced%20towards%20Azure%20AD%2C%20there's%20usually%20a%20delta%20sync%20that%20happens%2C%20which%20means%20nothing%20will%20be%20overwritten%20unless%20the%20record%20in%20on-prem%20AD%20is%20changed.%20Have%20you%20considered%20using%20password%20writeback%3F%20This%20way%20using%20Azure%20AD%20Connect%2C%20password%20changes%20in%20Azure%20AD%20will%20be%20written%20back%20into%20on-prem%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2712171%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20changes%20in%20M365%20Vs%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2712171%22%20slang%3D%22en-US%22%3ELDAP%20(Oracle)%20is%20our%20authoritative%20directory%20based%20on%20our%20ERP%20and%20history.%20It%20makes%20sense%20about%20the%20delta%20though%2C%20I%20had%20not%20considered%20that.%3C%2FLINGO-BODY%3E
New Contributor

We have a convoluted system based on our structure. We use an LDAP system as our primary directory. That syncs with on prem AD which then syncs to Azure. This is all designed one way and is not back writable.

Sometimes, our students cannot access their Microsoft licensing and the helpdesk changes their password in M365 admin portal. This breaks our SSO because then their M365 password is not getting synced properly.

My main issue is wondering why the password is not getting changed back to what it should be when on prem AD syncs to Azure. M365 uses the Azure credentials, correct? If you have questions, let me know, I can add details if needed. This has been a very evolved process.

4 Replies
best response confirmed by JimWilson2000 (New Contributor)
Solution

@JimWilson2000 If the password is changed in Azure AD, there is no record of this on the on-prem AD side. Records on-prem will not just be synced towards Azure AD, there's usually a delta sync that happens, which means nothing will be overwritten unless the record in on-prem AD is changed. Have you considered using password writeback? This way using Azure AD Connect, password changes in Azure AD will be written back into on-prem AD.

LDAP (Oracle) is our authoritative directory based on our ERP and history. It makes sense about the delta though, I had not considered that.
Unless the settings were changed, the default Azure AD Connect uses would be to do a delta sync every 30 minutes, so this is likely the cause of your problems. How about just telling the helpdesk to actually not change the password there? ;)
That was the first thing I said!