Q. If I disable password-writeback with Azure AD Connect how does this impact changing the password for a synchronized user in Azure AD?
A. Azure AD Connect provides an easy to deploy solution to connect and synchronize on-premises Active Directory Domain Services domain instances with an Azure AD instance. One option for the replication from AD to Azure AD is a hash of the user's password hash which enables the on-premises user and Azure AD user to have the same password giving a single sign-on experience for users when authenticating in Azure AD. An alternate approach is to use federation for authentication in Azure AD which actually redirects the authentication to on-premises domain controllers making the replication of the hash of the password hash optional (but still possible in case you wish to switch to Azure AD authentication, for example if the federation was unavailable).
It is also possible to enable password-writeback from Azure AD to on-premises AD as an option for the Azure AD Connection configuration. When this is enabled a password change in Azure AD has the following effect:
- If the user is Azure AD only then writeback is not a factor and the password is updated in Azure AD only
- If the user is password synchronized and federation is not used then the password is updated in Azure AD an on-premises AD to keep them synchronized
- If the user is a federated user only with no password synchronization then password writeback only updates on-premises AD since no password exists in Azure AD
Now what if you disable password writeback and are synchronizing the users password. In this scenario Azure AD will try and protect you from having passwords get out of sync. This means you will be unable to change the password in Azure AD for a password synchronized user to prevent password de-synchronization. This applies to both admin password reset and the user password reset.
