Monday, August 17, 2015

Exploring Azure AD Connect - Part 3: Configuring User and Password Writeback with Azure AD Premium

Other posts in this series:

Exploring Azure AD Connect - Part 3: Azure AD Premium Features

Well, this series has taken a while to wrap up! What can I say? When it rains, it pours. So far, we have taken a look at setting up Azure AD Connect for synchronization in a Hybrid environment using Express Installation, and we followed that up with a look at setting up synchronization and SSO with AD FS, which of course was a bit more complicated. Now we move on to a couple of the advanced synchronization features that require Azure AD Premium licensing.

First, let's list out a few of the awesome features that can be achieved through Azure AD Premium licensing and Azure AD Connect:

  • Multi-factor Authentication
  • Self-Service Password Reset for users with Write-back to On-Prem AD
  • Password Write-back
  • User Write-back (Note: This feature was in Preview, but is not available as an option currently. I have been instructed by an Azure AD Product Manager to stay tuned for GA.)
  • Group Write-back is also possible, but does not require Azure AD Premium licensing. Groups are written back as Exchange Distribution Lists, and have other Exchange requirements
  • Device Write-back

As you can see, there are some very cool perks with using Azure AD Premium licensing. Check out this link for a more in-depth comparison of the feature sets between Azure AD licenses, and price comparison:

Getting Started - Azure AD Premium Trial

Obviously, you can go out and just purchase Premium licensing if you want to, but for the purposes of this tutorial, I was just testing and demonstrating, so I took advantage of the 30 day trial that was available.

To do this, you can log into your Admin Portal for Office 365, and then towards the bottom of the left-hand navigation menu, under the Admin menu item, click on Azure AD. This will open up the Azure AD portal. From here, you will click on the ACTIVE DIRECTORY tab on the left side of the screen, and then click on your AD instance name. In my case, this was "The MS UC Guy". You will now see the below screen, and as you can see, our Trial awaits with the TRY AZURE ACTIVE DIRECTORY PREMIUM NOW link button at the top of the screen. Click on it.

You will then be prompted to agree to the terms of the Azure AD Premium trial in the Activate Azure AD Premium trial box. Click the check mark button at the bottom-right of the box.

After accepting the terms, you are brought back to the main Active Directory screen, and you can see that your Premium trial is being activated.

Once your Premium licensing has been activated, it is time to go to your server that has been setup to run Azure AD Connect. Let's take a quick moment to look at what our On-Prem environment looks like.

On-Prem Lab Environment

My "On-Prem" environment is the same virtual environment in Rackspace's Public Cloud that I used in the previous posts in this series, minus a couple servers. All servers in this environment are running Windows Server 2012 R2, and are fully patched. All are joined to the Active Directory domain. The environment consists of:
  • 1 Active Directory Domain Controller
  • 1 small server for installing Azure AD Connect
  • 1 small client VM, joined to the on-prem Active Directory domain

Office 365 Environment

I am using the same Office 365 tenant that I used in my previous posts, using only Skype for Business Online Plan 2 licensing, and now the Azure AD Premium licensing. I cleaned up the environment by uninstalling Azure AD Connect completely from the on-prem server, deactivating synchronization in the Office 365 portal (this can take up to 72 hours to take effect), and then deleting all users that had synced from the on-prem Active Directory from the last post.

NOTE: You must also delete the users in the Deleted Users section of your Office 365 portal as well, because if you have any same-named users from a previous lab/demo, you can run into issues where password writeback won't work due to duplicate entries. You cannot purge the Deleted Users from the Office 365 Admin portal; instead, reference this article for how to connect remotely via Azure AD Powershell module, and purging those users:

Per the last post, the custom domain "" is already setup in the portal, with all necessary DNS records having been created. Lastly, before getting stared, I navigated to the Active Directory synchronization line at the top of the Active Users page in the Office 365 admin portal, and clicked the Manage link button. From there, I activated AD synchronization by click the Activate button, as seen below:

Configuring Azure AD Connect for User & Password Write-back

Alright, now it is time to get into how to configure Azure AD Connect on our on-prem server. The advanced features that we will be demonstrating are User Write-Back, and Password-Write-Back, because how cool is it that we can manage our users in the Cloud, and have the changes synced back to our on-prem AD?! Let's dig in:

  • Once you have downloaded the Azure AD Connect tool from Microsoft's Download Center, run the AzureADConnect.msi file. You will see the below Welcome screen. Check the box next to "I agree to the license terms and privacy notice.", and then click the big green Continue button. 
  • On the Express Settings screen, click the Customize button at the bottom.
  • On the Install required components screen, leave all the boxes un-checked (unless any of those specific Optional configurations apply to you for some reason), and click Install. You will then see the progress bar as the required components are installed. 
  • The User sign-in screen comes up and gives you three options. This time, we will leave the default option selected, Password Synchronization, and then click Next. 
  • The next screen is the Connect to Azure AD screen. Input credentials from your Office 365 subscription that have the Global Administrator role assigned (preference here is to use an account, and NOT a user with the same domain name that you are about to sync with), and click Next. You will see your Microsoft Online credentials be validated, and information from your Office 365 environment verified. 
  • Next, you will add your on-prem AD domain on the Connect your directories screen. You should already see the Forest field populated. Add your credentials, and then click the Add Directory button. The credentials get verified, and then you can see the directory added. Click Next
  • Leave the defaults selected on the Uniquely identifying your users screen, and click Next
  • On the Filter users and devices screen, you can either enter a Distinguished Name or name of a group in AD, and then click Resolve, or you can Synchronize all users and devices. We are leaving the defaults since this is just a demo environment, and clicking Next
  • The Optional Features screen is where we make our important selections for this post. As you can see, the Password sync box is selected and grayed out because of our earlier selections in the wizard. We will now check both the Password writeback and User writeback boxes (Note, as of the time of this post, User Writeback still shows as being in Preview). Click Next
  • Next we come to the Writeback screen, where we need to traverse the on-prem AD tree structure to select the target Organizational Unit (OU) for User Writeback. Here we have created a special OU for this: The Users OU underneath the Awesome OU, of course! Once you select the desired OU, click Next

  • Finally, we have the Ready to configure screen. This gives us a chance to review our previous selections. We are going to leave the Start the synchronization process as soon as the configuration completes box checked, and click Install. 
  • After clicking Install, we see the wizard make several configuration changes before finally showing us the below Configuration complete screen. Click Exit. 

Now, if I had been thinking, I would have had users created in the first place, so that we could see that the initial synchronization replicated those users to Office 365. However, I didn't do that, so I went ahead and created Josh, Jack, and Jill in our Awesome -> Users OU: 

Now, back on our Azure AD Connect server, I click on the Start menu, and find the Azure AD Connect Synchronization Service, and click on it:

Now we see the below tool:

We are going to click on the Actions menu, and then select Run from the drop-down menu:

A pop-up box opens up, and we need to select Full Synchronization. Then click OK.

After this synchronization runs, we should be able to see it's successful status in the Service tool that is open. Go ahead and close this tool now, and let's go back to the Active Users screen in our Office 365 Admin portal. Voila! Look at those users!

User Writeback

(Note: This feature was in Preview, but is not available as an option currently. I have been instructed by an Azure AD Product Manager to stay tuned for GA.)

Ok, so, now that our users have synced from our on-prem AD to Azure AD, let's flip that switch. We create a new user called "Cloud Man", and as you can see below, his Status shows as "In Cloud".

NOTE: when going through the user creation wizard in Office 365, I selected the Azure AD Premium license. Without this, the user would not be able to sync back to the on-prem AD. Alright, time to go check out our on-prem AD and see if this user replicated. If you do not see them in AD yet, you may have to wait for a while before the next synchronization pass. However, after waiting a while, I was able to see Cloud Man in the proper OU (as defined in the wizard earlier. User Writeback is a success! 

Password Writeback

Alright, back in our Office 365 Admin portal, we now need to go to one of the users that we synced from our local Active Directory, check the box to the left of their name, and then click the Edit button under the Assigned license section on the right.

In the Assign license overlay, select the user's country from the drop-down list, check the box beside the desired license (in this case we want Azure Active Directory Premium for Password Writeback functionality), and then click Save

Now, with Jack's user object still selected, click on the Reset Password link button in the user actions on the right side of the screen. 

The resulting overlay allows us to specify an email address that the password will be sent to, and we can also choose to require the user to reset their password at next logon. We have left  this unchecked for this demo. Click Reset.

Once the reset finishes, you should see this reported back as a success, and you will be given the password. Make note of this password, so that we can try logging in with Jack on our test client VM. Click Close

Now, to prepare our client VM, we needed to allow Jack to logon to the server by adding him to the Remote Desktop Users group on the server, but this is not  necessary if you are logging onto a client OS in your AD environment, rather than a VM with a server OS.

Lo and behold, once I logged in with a new password, I was actually prompted to change my password (the one issued from Azure AD was a temporary password since it was done by the administrator, and not by the user themselves via Self-Service Password Reset). Amazing!

In Summary....

In summary, Azure AD Premium licensing is freakin' awesome! The new feature set that opens up to Office 365 hybrid users is incredible, and I have just scratched the surface (barely!). Don't take my word for it, though. Dig in, and open up a new world of hybrid goodness to your organization!

Stay techy, my friends!


  1. Can you please confirm user writeback function is still available as of 21/9/2015? On my side with the lastest AD connect the group writeback is there but user writeback is not even on the options.

    Some certified microsoft engineer also say it is not supported now. Please confirm

    1. While I cannot find any official announcement from Microsoft on this, it would seem that User Writeback did not survive past Preview, at least for now. Even their How-To doesn't reflect this option anymore: Too bad. We'll have to keep an eye out for it as a possible future release. Thanks for calling this out!

  2. Ok, got an answer from Nasos Kladakis (@Akladakis) on Twitter: He is apparently an Azure AD Product Manager at Microsoft, so I would assume this is good info. Looks like User WriteBack WAS in Preview, but is no longer, and should be GA sometime in the future. Interesting.

  3. Here is the statement.

  4. Rogier, thank you so much for that follow-up! So glad to see that they finally put something official out there to answer people's questions. Only about 6 months later, right?! Thanks again.

  5. hello fellow josh,

    i am curious, with user write back (whenever it becomes available) can i edit/remove users that are mastered from on premise AD? or can i only edit the users added to AAD then written back to on prem AD?
    or would i assume that the same dirsync edit user model is still used?


    1. Since you’re going to be stuck with the expense of a mortgage for a few years to come, it’s important to make sure that you choose someone who’s going to help you get the right deal for you.

  6. Ah, always a pleasure to have another Josh drop in for a comment! Unfortunately, I am not really able to answer your question with much certainty. Once the Preview feature was removed, so was any documentation that alluded to it. With that being the case, and given the nature of how they had to pull this feature from preview to revisit some aspects, it is really a big question mark as to what it will look like when it finally comes to market. If I had to guess, I would imagine that there will be certain attributes of the on-prem-created user that would be able to be managed in AAD, but full control over all aspects (deletion, etc.) would likely have to be initiated on-prem. Again, this is just a guess. We kind of just have to wait to see what Microsoft gives us when they finally release the feature again. Thanks for reading, and for your comment!

  7. nice information well done your information is helping alot thanks for valuable windows azure training in hyderabad

  8. Thanks, Nasreen! Very kind of you to say!

  9. hi team,

    password write back will work without Azure AD premium subscription?


  10. Josh,

    Thanks for the write up. Do you have source of AZURE AD Connect version which has user writeback option.

    I need to fetch all users from AZURE AD to newly created on-premise AD Server


  11. This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.

    rpa training in chennai
    rpa training in bangalore
    rpa course in bangalore
    best rpa training in bangalore
    rpa online training

  12. This is a nice post in an interesting line of content.Thanks for sharing this article, great way of bring this topic to discussion.
    python course institute in bangalore
    python Course in bangalore
    python training institute in bangalore

  13. This is beyond doubt a blog significant to follow. You’ve dig up a great deal to say about this topic, and so much awareness. I believe that you recognize how to construct people pay attention to what you have to pronounce, particularly with a concern that’s so vital. I am pleased to suggest this blog.
    Data Science Training in Indira nagar
    Data Science training in marathahalli
    Data Science Interview questions and answers
    Data Science training in btm layout | Data Science Training in Bangalore
    Data Science Training in BTM Layout | Data Science training in Bangalore
    Data science training in kalyan nagar

  14. Nice tutorial. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated tutorials…
    Devops Training courses
    Devops Training in Bangalore
    Best Devops Training in pune
    Devops interview questions and answers

  15. Greetings. I know this is somewhat off-topic, but I was wondering if you knew where I could get a captcha plugin for my comment form? I’m using the same blog platform like yours, and I’m having difficulty finding one? Thanks a lot.

    Advanced AWS Online Training | Advanced Online AWS Certification Course - Gangboard
    Best AWS Training in Chennai | Amazon Web Services Training Institute in Chennai Velachery, Tambaram, OMR
    Advanced AWS Training in Bangalore |Best AWS Training Institute in Bangalore BTMLA ,Marathahalli

  16. Really good information. your information is content with image is really clear to observation..
    Advanced java Training in Bangalore
    UI design Training in Bangalore

  17. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
    Devops Training in Chennai | Devops Training Institute in Chennai

  18. Get the best Hadoop Training in Bangalore from Industry experts and get 100% placement assistance and career guidance. Make use of it and enroll now to get Best Hadoop Course in Bangalore

  19. Failure is not an option, starting out on the right path is. A vast majority of business failures are a result of not knowing the simple steps you can take to steer clear of inevitable obstacles we all face as like it Don't start your journey in the wrong direction. Follow these simple steps towards SUCCESS!

  20. This put up is totaly unrelated to what I used to be looking google for, however Abu Dhabi Certified Pest Control was indexed on the first page. I guess your doing something right if Google likes you adequate to place you at the first page of a non related search.

  21. With the world increasingly becoming a "Global Village," communication has literally as well as figuratively changed the very contours of how businesses operate as well as function. Any business either a small, medium or a large enterprise would need an answering service that is reliable, responsive as well as one where the companies could be rest assured of the services. A Small Business Phone Service would be the answer to most of the outstanding problems as well as issues that companies would have about communicating with both their clients as well as their customers. As these phones could be accessed anywhere, they become all the more priceless for small and medium businesses as they would need the facilities of these phones to flourish their businesses and generate both their revenues and their reputation in the market. vladimir vrbaski republika

  22. I got what you Apps , regards for posting .Woh I am pleased to find this website through google.

  23. Youre so cool! I dont suppose Ive read anything like that before. So nice to seek out somebody with nox game guardian original applying for grants this subject. realy we appreciate you beginning this up. this excellent website is one area that is needed on-line, a person with a little originality. useful purpose of bringing a new challenge towards web!

  24. Hello! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing many months of hard work due to no backup. Do you have any solutions to protect against hackers? Bubble Shooter Unblocked

  25. There is no solid direction with regards to choosing the correct logo plan, it truly relies upon what you need your logo to state to your intended interest group and how you expect to utilize it. logo design service

  26. I visit your web page. It is really useful and easy to understand. Hope everyone get benefit. Thanks for sharing your Knowledge and experience with us.
    McAfee Activate - Follow the steps for uninstalling, downloading, installing and activating McAfee antivirus. Visit us, enter the 25-digit activation code, click submit. |

  27. I visit your web page. It is really useful and easy to understand. Hope everyone get benefit. Thanks for sharing your Knowledge and experience with us.
    McAfee Activate - Follow the steps for uninstalling, downloading, installing and activating McAfee antivirus. Visit us, enter the 25-digit activation code, click submit. |

  28. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank for you shared again.
    Norton setup - Get started with Norton by downloading the setup and installing it on the device. Enter the unique 25-character alphanumeric product key for activation. Check your subscription | |

  29. This article discusses who is to blame for the large amount of home improvement complaints received year after year by local consumer agencies. This article offers a unique solution to avoid having you home improvement project experience become something you would like to forget. Investment Banking Job Description

  30. Really great article, Glad to read the article. It is very informative for us. Thanks for posting.Norton™ provides industry-leading antivirus and security software for your PC, Mac, and mobile devices Visit @: -
    | |

  31. With the world increasingly becoming a "Global Village," communication has literally as well as figuratively changed the very contours of how businesses operate as well as function. Any business either a small, medium or a large enterprise would need an answering service that is reliable, responsive as well as one where the companies could be rest assured of the services. A Small Business Phone Service would be the answer to most of the outstanding problems as well as issues that companies would have about communicating with both their clients as well as their customers. As these phones could be accessed anywhere, they become all the more priceless for small and medium businesses as they would need the facilities of these phones to flourish their businesses and generate both their revenues and their reputation in the market. Contact cash app

  32. I am very happy after reading this fantastic blog, I appereciate your work. |

  33. Auto title loans can be a quick and simple solution for some situations when you need cash quickly, especially if you have credit issues which leaves few other quick cash options available for you. However, before you decide to risk your car using auto title loans, read these tips first. You can avoid some potentially very costly mistakes if you know what to watch out for. payday loans tulsa

  34. Hi,
    Good job & thank you very much for the new information, i learned something new. Very well written. It was sooo good to read and usefull to improve knowledge. Who want to learn this information most helpful. One who wanted to learn this technology IT employees will always suggest you take data science training in pune. Because data science course in Pune is one of the best that one can do while choosing the course.

  35. Really great and very informative is giving assignment help to students.we are already trusted by thousands of students who struggle to write their academic papers and also by those students who simply want essay editor to save their time and make life easy.

  36. azure is a trending technology in it industry . there is much scope for azure in it industry. learn azure through microsoft azure training

  37. Looking forward to move into another hous?!… [...]Real estate busines is getting more and more less protitable, check out why[...]… daisy shah hot photoshoot

  38. Quit smoking benefits… If we see you smoking we will assume you are on fire and take appropriate action…. kankaria lake zoo timings

  39. Looking forward to move into another hous?!… [...]Real estate busines is getting more and more less protitable, check out why[...]… daisy shah hot photoshoot

  40. This comment has been removed by the author.

  41. This comment has been removed by the author.

  42. This comment has been removed by the author.

  43. This comment has been removed by the author.

  44. This comment has been removed by the author.

  45. Thank you so much for this useful article. Visit OGEN Infosystem for Web Designing and SEO Services in Delhi, India.
    SEO Service in Delhi

  46. Any business, whether it is home based or, a large enterprise that employs several individuals, choosing the best broadband deals would go a long way in helping the owner of the business save a great deal in terms of the money as well as the time invested. Irrespective of the nature of the size of the business venture, the number of employees that it employs or the genre of the business, it would need a phone as well as an Internet to operate and function these days. It becomes imperative that business owners thoroughly analyze the existing market and only... cod mw key codes

  47. Business naming is an important first-step for starting your own business. It is important to have your good product or service backed up by a right business name. Here are 13 simple do's and don'ts that will help your keep your business naming process simple. showbox for iphone

  48. I don’t even know how I ended up here, but I thought this post was good. I do not know who you are but certainly you are going to a famous blogger if you aren’t already Cheers! Uber coupon

  49. Appslure is a reputed company based in India which provide mobile app development company in mumbai. Our website's layout will be very attractive and responsive, which will gain more visitors and you can get high lead and business from your website. Wonderful post, This article have helped greatly continue writing ..
    Mobile app development company in mumbai

  50. Really it was an awesome article,very interesting to read.You have provided an nice article,Thanks for sharing.devops Training in Bangalore

  51. Really i appreciate the effort you made to share the knowledge. The topic here i found was really effective...

    Learn SAP Training from the Industry Experts we bridge the gap between the need of the industry. Softgen Infotech provide the Best SAP Training with 100% Placement Assistance. Book a Free Demo Today.

  52. wonderful thanks for sharing an amazing idea. keep it...

    Get SAP ABAP Training in Bangalore from Real Time Industry Experts with 100% Placement Assistance in MNC Companies. Book your Free Demo with eTechno Soft Solutions.

  53. Really very happy to say, your post is very interesting to read. I never stop myself to say something about it. You’re doing a great job. Keep it up…

    Looking for Best Training Institute in Bangalore , India. Softgen Infotech is the best one to offers 85+ computer training courses including IT Software Course in Bangalore , India. Also, it provides placement assistance service in Bangalore for IT.

  54. Really useful information.

    Data science Course in Mumbaii

    Thank You Very Much For Sharing These Nice Tips.

  55. Great post!I am actually getting ready to across this information,i am very happy to this commands.Also great blog here with all of the valuable information you have.Well done,its a great knowledge.

    sap abap training in bangalore

    sap abap courses in bangalore

    sap abap classes in bangalore

    sap abap course syllabus

    best sap abap training

    sap abap training center

    sap abap training institute in bangalore

  56. A business broker is a person or firm who/which acts as an intermediary between sellers and buyers of small businesses. The process of buying or selling a business requires dedication and the attention of a professional with the knowledge of the complete flow of a business transaction, as well as a team in place to accomplish every aspect of the transfer. loanrepublic

  57. The entrepreneur who really wants to be successful with his or her small business should be ingenious to look for new and innovative ways to advertise products and services to reach a wider market share. It has been found credible by many research studies that it is worth the time of any creative entrepreneur to build his or her business online. Particularly, the Internet has today offered remarkable ways an entrepreneur can build any business online and generate revenue. Car Paint

  58. Our own chaga mushroom comes with a schokohutige, consistent, charcoal-like arrival, a whole lot of dissimilar to the style of the standard mushroom. Chaga Tincture buy lumion usa

  59. Norton is one of the top most antivirus for computers and gadgets, to download and setup Norton antivirus you need to visit or In this article we will guide you all steps which are necessary to activate Norton antivirus on windows.

  60. I absolutely love your blog and find a lot of your post’s to be exactly I’m looking for. can you offer guest writers to write content to suit your needs? I wouldn’t mind writing a post or elaborating on a few of the subjects you write in relation to here. Again, awesome weblog! gift ideas

  61. Spot up for this write-up, I truly feel this fabulous website requirements a great deal more consideration. I’ll probably be once more to learn considerably more, thanks for that information. putlockers

  62. What are you indicating, man? I know everyones got their own thoughts and opinions, but really? Listen, your web log is cool. I like the hard work you put into it, specifically with the vids and the pics. But, come on. Theres gotta be a better way to say this, a way that doesnt make it seem like most people here is stupid! lake grande

  63. thank you sharing this blog, it useful for understanding AZURE AD.
    Big data training bangalore

  64. If you face any trouble at in the course of redeeming Product key, down load and installing norton setup, Please call us toll-free USA/CANADA: +1-855-619-5888
    Australia: +61-800-941-031
    UK: +44-800-041-8972

  65. When I originally commented I clicked the -Notify me when new surveys are added- checkbox now whenever a comment is added I buy four emails with similar comment. Is there by any means you possibly can remove me from that service? Thanks! Hair and make-up in San Bernardino