Sep 21 2017 07:12 AM
Hello
if I have "Password Write Back" enabled do I need to open a Port on my on-premise firewall?
The reason I am asking is I assume the user could logon direclty to Azure using their synced account (the one synced from on-premise AD to Azure AD) and Reset their password (if password reset is enabled). If that is correct then the Password in Azure would be different than the one on-premise and if "write back" is enabled I assume Azure will 'initiate' a connection back to on-premise to sync the password back. Therefore an incomming packet requiring a incomming firewall rule to allow it.
Alternativly does AD Connect keep a constant TCP connection open between on-prem and the Azure so the password "write back" request can travel back over this existing TCP connection and therefore no additional firewall rules needs to be created?
Can someone please help me understand which of the above (if any are correct) and correct me/explain if neither is the case.
Thanks very much
__AAnotherUser
Oct 12 2017 01:09 PM
SolutionI think this is what you are looking for:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback
Oct 13 2017 10:57 PM
Thanks Cody, that answered my question the artical contains the following text
Doesn’t require any inbound firewall rules - Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work.
Thanks again
Jan 16 2024 01:03 AM
@AUser ZUser do I need to open any outbound traffic for this function to work? I have a situation here, by default we block outbound internet for all servers, and we only open specific destinations. After setting up the password writeback in AD, we get an unknown error. To test, we open the onprem AD and Sync servers to the internet and we can reset the password from Azure. The question now is what is the destination that we need to allow for this service to work? We tested again by adding this URL to the allowed list, https://account.activedirectory.windowsazure.com/ but we keep getting "This password does not meet the length, complexity, age or history requirements of your corporate password policy." However the policy is correct, and we opened the server to the internet again we could use the same password and were able to change it successfully.
Jan 16 2024 01:24 AM
Oct 12 2017 01:09 PM
SolutionI think this is what you are looking for:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback