Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-premise firewal

Copper Contributor


if I have "Password Write Back" enabled do I need to open a Port on my on-premise firewall?


The reason I am asking is I assume the user could logon direclty to Azure using their synced account (the one synced from on-premise AD to Azure AD) and Reset their password (if password reset is enabled). If that is correct then the Password in Azure would be different than the one on-premise and if "write back" is enabled I assume Azure will 'initiate' a connection back to on-premise to sync the password back. Therefore an incomming packet requiring a incomming firewall rule to allow it.


Alternativly does AD Connect keep a constant TCP connection open between on-prem and the Azure so the password "write back" request can travel back over this existing TCP connection and therefore no additional firewall rules needs to be created?


Can someone please help me understand which of the above (if any are correct) and correct me/explain if neither is the case.


Thanks very much





4 Replies
best response confirmed by AUser ZUser (Copper Contributor)

Thanks Cody, that answered my question the artical contains the following text


Doesn’t require any inbound firewall rules - Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work.


Thanks again


@AUser ZUser do I need to open any outbound traffic for this function to work? I have a situation here, by default we block outbound internet for all servers, and we only open specific destinations. After setting up the password writeback in AD, we get an unknown error. To test, we open the onprem AD and Sync servers to the internet and we can reset the password from Azure. The question now is what is the destination that we need to allow for this service to work? We tested again by adding this URL to the allowed list, but we keep getting "This password does not meet the length, complexity, age or history requirements of your corporate password policy." However the policy is correct, and we opened the server to the internet again we could use the same password and were able to change it successfully.  

Yes, if you're using Azure AD Connect with the "Password Write Back" feature, you will need to open specific ports on your on-premises firewall to allow the necessary communication between your on-premises Active Directory and Azure AD.

The Password Write Back feature allows password changes made in Azure AD to be written back to your on-premises Active Directory. To enable this feature, you need to allow traffic over port 443 (HTTPS) from your Azure AD Connect server to the following endpoints:
Ensure that your firewall rules permit outbound traffic over port 443 to these endpoints. This is essential for the communication required for the Password Write Back functionality to work securely.

Always refer to the official Microsoft documentation or Azure AD Connect documentation for the most up-to-date information on network requirements and configuration.

1 best response

Accepted Solutions
best response confirmed by AUser ZUser (Copper Contributor)