What is Azure Password Writeback?

Azure AD Domain Services supports Azure Password Writeback in Azure AD. After you enable Password Writeback on the Azure AD Domain Services page in the Azure portal, users can therefore change their passwords in Azure AD. Azure AD then changes the passwords on the domain controllers in Azure DevOps Services. Additionally, as the passwords are changed, Azure AD Domain Services synchronizes the passwords back to Azure AD. 

In technical terms, an Azure password write-back operation is basically an option for a password “reset” action. The most significant highlight of a password writeback is that it tends to eliminate the need to set up and configure an on-premise solution for most users in order to reset their passwords. Interestingly the reset action takes place in real-time. Because of the real-time feature, users get notifications instantly in case of the following situations: 

  • The password cannot be reset. 
  • There is some problem and hindrance in the password change process due to some reason. 

Moreover, PTA and PHS protocols enable the password reset seamlessly.  

Password Writeback License Requirements:

Azure Password Writeback and Self-Service Password Reset (SSPR) also require Azure Premium P1 or P2 for EVERY user.

This feature can also be bought separately as an add-on and comes as a part of the following license plans: 

  • Business Premium By Microsoft
  • Enterprise Mobility + Security (E3 and E5) add-on 
  • Microsoft 365 F1 and F3 
  • Microsoft 365 E3 and E5 


For configuration, you need a Hybrid Identity Administrator/Global Administrator role. 

  • Open Azure AD Connect configuration wizard and click configure. 
  • Select Additional tasks, 
  • Then select Customize Synchronization Options 
  • Additionally, you will be asked for Azure AD Global Administrator credentials. Type and click Next.
  • Go to Connect directories and Domain/OU filtering pages and click Next.
  • Proceed to optional features and check the option for password writeback.
  • After you see an overview of the changes you made, click configure. After a few minutes, the configuration will be complete.


  • Now connect to Azure AD tenant, go to Azure Active Directory, click Password reset > On-premises integration option, and see Password writeback will be enabled.


  • Finally, SSPR Self-service password reset feature is also now enabled. 

Moreover, Self-service password reset (SSPR) in Azure Active Directory (Azure AD) allows users to reset their passwords without having to contact an administrator. 

Steps required for enabling password writeback option in SSPR framework

Following are the steps through which one can activate password writeback in SSPR instead of Azure AD. 

  1. Go to the Azure portal and log in with your Global Administrator account credentials.  
  2. Then move directly to Azure Active Directory, which shows you the option to change/reset your password. Click on the password reset tab. 
  3. Similarly, on the left pane, you will see integration options. Click On-premises integration. 
  4. Options will pop open, so select the option for writing back passwords to the on-premises directory to Yes. 
  5. You can also select “Allow users to access accounts without resetting the password to Yes.” 
  6. The password writeback is now enabled. Lastly, you can finalize it by clicking the Save option.  


Password synchronization solution for AD

The feature “ManageEngine ADSelfService Plus” provides the users with an AD-based password synchronization option. Moreover, it also helps to synchronize users’ AD domain passwords in addition to making changes using.  

  • Azure AD accounts 
  • Microsoft 365 accounts 
  • Enterprise applications including “AD Lightweight Directory Services, Google Workspace, and Salesforce.” 

Benefits of synchronization feature:

  1. Self-service password reset: It provides a secure option for a self-service password reset.  The reset portal also allows users to reset their passwords and synchronize whatever changes there are to integrated enterprise accounts. 
  2. Granular configuration: A password synchronization option related to specific applications is also available for users of particular domains, OU, and groups. 
  3. Advanced password policies: The Password Policy Enforcer governs any changes and resets. This feature can trigger advanced password requirements such as bans on dictionary words, trends, and patterns. 
  4. Application-specific synchronization: Users have the choice to sync any changes with the integrated applications accounts or any desired app.  
  5. Synchronized account status: “Self-service domain account unlocks” will only have the option to open integrated enterprise accounts. 

Azure AD’s self-service password writeback feature is the most famous and reliable way of resetting passwords. Therefore, use this feature and make the password change process more fun.  

Let's make it happen

We love fixing complex problems with innovative solutions. Get in touch to let us know what you’re looking for and our solution architect will get back to you soon.