SOLVED

Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-premise firewal

%3CLINGO-SUB%20id%3D%22lingo-sub-108792%22%20slang%3D%22en-US%22%3EDoes%20Azure%20AD%20(AD%20Connect)%20%22Password%20Write%20Back%22%20require%20me%20to%20open%20an%20Port%20on%20my%20on-premise%20firewal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108792%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3Eif%20I%20have%20%22Password%20Write%20Back%22%20enabled%20do%20I%20need%20to%20open%20a%20Port%20on%20my%20on-premise%20firewall%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reason%20I%20am%20asking%20is%20I%20assume%20the%20user%20could%20logon%20direclty%20to%20Azure%20using%20their%20synced%20account%20(the%20one%20synced%20from%20on-premise%20AD%20to%20Azure%20AD)%20and%20Reset%20their%20password%20(if%20password%20reset%20is%20enabled).%20If%20that%20is%20correct%20then%20the%20Password%20in%20Azure%20would%20be%20different%20than%20the%20one%20on-premise%20and%20if%20%22write%20back%22%20is%20enabled%20I%20assume%20Azure%20will%20'initiate'%20a%20connection%20back%20to%20on-premise%20to%20sync%20the%20password%20back.%20Therefore%20an%20incomming%20packet%20requiring%20a%20incomming%20firewall%20rule%20to%20allow%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlternativly%20does%20AD%20Connect%20keep%20a%20constant%20TCP%20connection%20open%20between%20on-prem%20and%20the%20Azure%20so%20the%20password%20%22write%20back%22%20request%20can%20travel%20back%20over%20this%20existing%20TCP%20connection%20and%20therefore%20no%20additional%20firewall%20rules%20needs%20to%20be%20created%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20help%20me%20understand%20which%20of%20the%20above%20(if%20any%20are%20correct)%20and%20correct%20me%2Fexplain%20if%20neither%20is%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much%3C%2FP%3E%3CP%3E__AAnotherUser%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-108792%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116558%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20AD%20(AD%20Connect)%20%22Password%20Write%20Back%22%20require%20me%20to%20open%20an%20Port%20on%20my%20on-p%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116558%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Cody%2C%20that%20answered%20my%20question%20the%20artical%20contains%20the%20following%20text%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EDoesn%E2%80%99t%20require%20any%20inbound%20firewall%20rules%20-%20Password%20writeback%20uses%20an%20Azure%20Service%20Bus%20relay%20as%20an%20underlying%20communication%20channel%2C%20meaning%20that%20you%20do%20not%20have%20to%20open%20any%20inbound%20ports%20on%20your%20firewall%20for%20this%20feature%20to%20work.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116075%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20AD%20(AD%20Connect)%20%22Password%20Write%20Back%22%20require%20me%20to%20open%20an%20Port%20on%20my%20on-p%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116075%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20this%20is%20what%20you%20are%20looking%20for%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-passwords-writeback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-passwords-writeback%20%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello

if I have "Password Write Back" enabled do I need to open a Port on my on-premise firewall?

 

The reason I am asking is I assume the user could logon direclty to Azure using their synced account (the one synced from on-premise AD to Azure AD) and Reset their password (if password reset is enabled). If that is correct then the Password in Azure would be different than the one on-premise and if "write back" is enabled I assume Azure will 'initiate' a connection back to on-premise to sync the password back. Therefore an incomming packet requiring a incomming firewall rule to allow it.

 

Alternativly does AD Connect keep a constant TCP connection open between on-prem and the Azure so the password "write back" request can travel back over this existing TCP connection and therefore no additional firewall rules needs to be created?

 

Can someone please help me understand which of the above (if any are correct) and correct me/explain if neither is the case.

 

Thanks very much

__AAnotherUser

 

 

 

2 Replies
best response confirmed by AUser ZUser (Occasional Contributor)

Thanks Cody, that answered my question the artical contains the following text

 

Doesn’t require any inbound firewall rules - Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work.

 

Thanks again