SOLVED
Home

Does Azure AD (AD Connect) "Password Write Back" require me to open an Port on my on-premise firewal

%3CLINGO-SUB%20id%3D%22lingo-sub-108792%22%20slang%3D%22en-US%22%3EDoes%20Azure%20AD%20(AD%20Connect)%20%22Password%20Write%20Back%22%20require%20me%20to%20open%20an%20Port%20on%20my%20on-premise%20firewal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108792%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3Eif%20I%20have%20%22Password%20Write%20Back%22%20enabled%20do%20I%20need%20to%20open%20a%20Port%20on%20my%20on-premise%20firewall%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reason%20I%20am%20asking%20is%20I%20assume%20the%20user%20could%20logon%20direclty%20to%20Azure%20using%20their%20synced%20account%20(the%20one%20synced%20from%20on-premise%20AD%20to%20Azure%20AD)%20and%20Reset%20their%20password%20(if%20password%20reset%20is%20enabled).%20If%20that%20is%20correct%20then%20the%20Password%20in%20Azure%20would%20be%20different%20than%20the%20one%20on-premise%20and%20if%20%22write%20back%22%20is%20enabled%20I%20assume%20Azure%20will%20'initiate'%20a%20connection%20back%20to%20on-premise%20to%20sync%20the%20password%20back.%20Therefore%20an%20incomming%20packet%20requiring%20a%20incomming%20firewall%20rule%20to%20allow%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlternativly%20does%20AD%20Connect%20keep%20a%20constant%20TCP%20connection%20open%20between%20on-prem%20and%20the%20Azure%20so%20the%20password%20%22write%20back%22%20request%20can%20travel%20back%20over%20this%20existing%20TCP%20connection%20and%20therefore%20no%20additional%20firewall%20rules%20needs%20to%20be%20created%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20help%20me%20understand%20which%20of%20the%20above%20(if%20any%20are%20correct)%20and%20correct%20me%2Fexplain%20if%20neither%20is%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much%3C%2FP%3E%3CP%3E__AAnotherUser%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-108792%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116558%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20AD%20(AD%20Connect)%20%22Password%20Write%20Back%22%20require%20me%20to%20open%20an%20Port%20on%20my%20on-p%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116558%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Cody%2C%20that%20answered%20my%20question%20the%20artical%20contains%20the%20following%20text%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EDoesn%E2%80%99t%20require%20any%20inbound%20firewall%20rules%20-%20Password%20writeback%20uses%20an%20Azure%20Service%20Bus%20relay%20as%20an%20underlying%20communication%20channel%2C%20meaning%20that%20you%20do%20not%20have%20to%20open%20any%20inbound%20ports%20on%20your%20firewall%20for%20this%20feature%20to%20work.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116075%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20AD%20(AD%20Connect)%20%22Password%20Write%20Back%22%20require%20me%20to%20open%20an%20Port%20on%20my%20on-p%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116075%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20this%20is%20what%20you%20are%20looking%20for%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-passwords-writeback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-passwords-writeback%20%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
AUser ZUser
Occasional Contributor

Hello

if I have "Password Write Back" enabled do I need to open a Port on my on-premise firewall?

 

The reason I am asking is I assume the user could logon direclty to Azure using their synced account (the one synced from on-premise AD to Azure AD) and Reset their password (if password reset is enabled). If that is correct then the Password in Azure would be different than the one on-premise and if "write back" is enabled I assume Azure will 'initiate' a connection back to on-premise to sync the password back. Therefore an incomming packet requiring a incomming firewall rule to allow it.

 

Alternativly does AD Connect keep a constant TCP connection open between on-prem and the Azure so the password "write back" request can travel back over this existing TCP connection and therefore no additional firewall rules needs to be created?

 

Can someone please help me understand which of the above (if any are correct) and correct me/explain if neither is the case.

 

Thanks very much

__AAnotherUser

 

 

 

2 Replies

Thanks Cody, that answered my question the artical contains the following text

 

Doesn’t require any inbound firewall rules - Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work.

 

Thanks again

 

Related Conversations
'Open in Sharepoint' URL opens to Blank page
John Benak in Microsoft Teams on
4 Replies
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Password Generation and Password Reveal are Not working
HotCakeX in Discussions on
5 Replies
Re-request password
Serhii Zahuba in Outlook on
9 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies