Tuesday 19 June 2018

Enabling Azure AD Self Service Password Reset/Writeback, and what happens when users exist in Office 365 before Active Directory is synced using AD Connect

I had to test a few scenario's as I was taking over a project centred around Office 365, the only twist was that user accounts had been provisioned in Office 365 before the production Active Directory was in place (and AD Connect).
I had to test what would happen when the following
  • User A existed in Office 365 but was then created in AD (with the same email address) and synced.

The outcome of this test is that User A is still retained in Office 365 with all the existing permissions and testing however their original Office 365 password is overwritten with the new password which is set on their user account in Active Directory. In short the on premise Active Directory becomes the point of authority for passwords which in turn overwrite any existing passwords in Office 365.
The next part I had to test was Azure AD Password Write back, this feature is useful for me on this project as users who were already using Office 365 would have to be provisioned with AD accounts. The plan was to create new user accounts (matches Office 365 email) for everyone with a generic password, when AD Connect was in place, they would then be asked to login to Office 365 using their new generic password. When they had authenticated to Office 365 they would be instructed to reset the generic password to be their own password. After the new password was accepted by Azure AD, it would in turn then we written back to AD, thus becoming the primary and only password for AD and Azure AD.
It should be noted that Azure AD Premium is need to support Azure AD Password Write back.
If you are doing this for the first time it's not obvious that you have to change the Default Domain Policy on the Active Directory to set the Minimum Password Age to 0, or you will get the following error.

The Default Domain Policy usually holds the global account policies for the Active Directory.
You must enable Self Service Password Reset from the Azure AD portal. 
You must also ensure password write-back is enabled from the same portal. 

The workflow for when users login after write-back has been enabled.
a.) User is issued new password (for Active Directory)
b.) Administrator forces AD Connect do a sync to Azure AD
c.) User is asked to login to Office 365
d.) User is asked to register self-service password reset questions
e.) User is logged in with Active Directory password
f.) User attempt's to reset Active Directory password from Office 365 portal
g.) Office 365 accepts the users new password and writes it back to Active Directory
h.) This password becomes the only password for Active Directory and Azure AD
i.) Event 31007 is logged in the Azure AD Connect server to confirm the write back operation.
In this example my domain was running on Windows Server 2008 R2, no permission changes had to be made to get password write-back working. I did however do exactly the same thing on a production environment all running Windows Server 2016 Domain Controllers, and it never worked, you can find the solution here.