cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-premise firewal

AUser ZUser
Copper Contributor

‎Sep 21 2017 07:12 AM

‎Sep 21 2017 07:12 AM

Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-premise firewal

Hello

if I have "Password Write Back" enabled do I need to open a Port on my on-premise firewall?

 

The reason I am asking is I assume the user could logon direclty to Azure using their synced account (the one synced from on-premise AD to Azure AD) and Reset their password (if password reset is enabled). If that is correct then the Password in Azure would be different than the one on-premise and if "write back" is enabled I assume Azure will 'initiate' a connection back to on-premise to sync the password back. Therefore an incomming packet requiring a incomming firewall rule to allow it.

 

Alternativly does AD Connect keep a constant TCP connection open between on-prem and the Azure so the password "write back" request can travel back over this existing TCP connection and therefore no additional firewall rules needs to be created?

 

Can someone please help me understand which of the above (if any are correct) and correct me/explain if neither is the case.

 

Thanks very much

__AAnotherUser

 

 

 

Labels:
9,866 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by AUser ZUser (Copper Contributor)

‎Oct 12 2017 01:09 PM

‎Oct 12 2017 01:09 PM

Solution

Re: Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-p

I think this is what you are looking for:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback

1 Like
Reply
AUser ZUser

‎Oct 13 2017 10:57 PM

‎Oct 13 2017 10:57 PM

Re: Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-p

Thanks Cody, that answered my question the artical contains the following text

 

Doesn’t require any inbound firewall rules - Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work.

 

Thanks again

 

0 Likes
Reply
NanthaKumar

‎Jan 16 2024 01:03 AM

‎Jan 16 2024 01:03 AM

Re: Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-p

@AUser ZUser do I need to open any outbound traffic for this function to work? I have a situation here, by default we block outbound internet for all servers, and we only open specific destinations. After setting up the password writeback in AD, we get an unknown error. To test, we open the onprem AD and Sync servers to the internet and we can reset the password from Azure. The question now is what is the destination that we need to allow for this service to work? We tested again by adding this URL to the allowed list, https://account.activedirectory.windowsazure.com/ but we keep getting "This password does not meet the length, complexity, age or history requirements of your corporate password policy." However the policy is correct, and we opened the server to the internet again we could use the same password and were able to change it successfully.  

0 Likes
Reply
sharmaharsh

‎Jan 16 2024 01:24 AM

‎Jan 16 2024 01:24 AM

Re: Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-p

Yes, if you're using Azure AD Connect with the "Password Write Back" feature, you will need to open specific ports on your on-premises firewall to allow the necessary communication between your on-premises Active Directory and Azure AD.

The Password Write Back feature allows password changes made in Azure AD to be written back to your on-premises Active Directory. To enable this feature, you need to allow traffic over port 443 (HTTPS) from your Azure AD Connect server to the following endpoints:

passwordreset.microsoftonline.com
ctldl.windowsupdate.com
login.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
Ensure that your firewall rules permit outbound traffic over port 443 to these endpoints. This is essential for the communication required for the Password Write Back functionality to work securely.

Always refer to the official Microsoft documentation or Azure AD Connect documentation for the most up-to-date information on network requirements and configuration.





0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by AUser ZUser (Copper Contributor)

‎Oct 12 2017 01:09 PM

‎Oct 12 2017 01:09 PM

Solution

Re: Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-p

I think this is what you are looking for:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback

View solution in original post

1 Like
Reply