Q. How does Azure AD password write-back function based on different types of synchronization and federation?
A. Azure AD enables end-user password self-service reset. There is a great document at https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-learn-more/ which walks through the details of how the password write-back works. There are essentially three scenarios based on if a user if Azure AD based, synchronized from on-premises AD and if federated. Below is a summary.
- User is native Azure AD - Password write-back does not occur
- User is password synchronized from AD - Password change is replicated to on-premises AD
- User is federated with AD - Password is written to on-premises only since no password exists in Azure AD