Aaron Hauber / /

Azure AD Connect SSPR: Where can you reset a user’s password with password writeback?

I recently had a client complaining that Self-Service Password Reset (SSPR) password writeback wasn’t working. I examined the setup and found the Azure AD Connect service account did not have the correct permissions assigned. If you are unsure which account is being used you can find the account listed on the “View current configuration” page in the upper right-hand corner of the Microsoft Azure Active Directory Connect application.


This account needs the following permissions

  • Change password
  • Reset password
  • Write lockout time
  • Write pwdLastSet permissions

These permissions are set under the Security > Advanced on the user’s account in Activity Directory.


Remember to select Advanced Features under the view tab so that the security tab shows up.  When you get to the Advanced security window you will need to select the service account as the principal.     For more information setting up password writeback you can reference this article https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#active-directory-permissions.

After setting the correct permissions I had the client go to https://passwordreset.microsoftonline.com/ and reset a user’s password.  After resetting the password, we checked the Application event log in Event Viewer on the Azure AD Connect server and found Event 31002 reporting the successful password change. I then had the client sign in to Office 365 OWA from a domain-joined system with the account verifying that the password had been successfully changed and replicated in both on-premises Active Directory and in Office 365.  The client was satisfied.

The next day I received word from the client that password write back was not working.  Client complained that when they reset a user’s password the password would change in Office 365 but they were not able to sign into their domain-joined computer with the new password.  I asked the client where the password was changed.  They replied that they attempted to reset the password in OWA and under the active user’s tab in the Office 365 portal.  Unfortunately, you cannot reset on-premises Active Directory accounts using either of these methods.  OWA resets and Active User’s resets are only designed for cloud accounts (typically @domain.onmicrosoft.com).  When the customer reset the password, they were only resetting the password in Office 365 and the change was not replicating down to the on-premises AD object causing a password mismatch.

Password writeback for on-premises AD accounts can be reset with this site https://passwordreset.microsoftonline.com or by clicking “Can’t access your account?” on the office 365 sign-in page.  I explained this to the customer and the confusion was cleared up.


Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.