AAD Premium with Password Reset Write-back

How to configure AAD and DirSync With AAD Premium and Password Reset Write-back funtionality, let’s have a look!

Making DirSync even more powerfull, Microsoft introduces Password Reset Write-back for customers using DirSync With Password Synchronization.

You need AAD Premium Licenses which can be bought from a LAR or through Your Enterprise Agreement, and from there assign the Premium Licenses to Your AAD Tenant. Or you can use an AAD Premium Trial which as 100 user Licenses and lasts for 90 days.

Pre reqs:

DirSync (Preferable DirSync Preview)
Azure Active Directory w/Premium Licenses
Windows Server With Active Directory Services

For my dev environment I installed all services on one single Windows Server 2012 R2 Virtual machine hosted in Microsoft Azure VMs.

So, now that we have these Servers and Services installed


DirSync configuration is very much the same. As of today, there isn’t any steps in the Wizard for activating Password Writeback.

After activating Your AAD Premium Licenses, you’ll need to assign them to the users and like assigning Licenses in Office 365 we need to set a UsageLocation for each users. I did it manually for my couple of test users using the Active Directory Management in Microsoft Azure.


Then we nagivate over to Licenses:


At the buttom of Our browser we will hit Assign:


Mark Your users Lucky enough to get Premium Licenses and they’ll show up in the Assign list. Hit the check button when Your done.


Now we need to Enable a Password Policy, which is necessary for the features regarding Sign-In and Password Writeback to work, so head over the Configure pane.


Then we activate the Password Reset Policy, and underneath we can choose certain simple options, but as we allready synhronize users from an Active Directory we should be good With the default settings.


By now the Azure Active Directory should be configured and will navigate back to the Server With DirSync installed, but before we proceed the MSOL User created and used by the Synchronization Service needs Active Directory rights to reset a users password, otherweis the Next step will fail.

So search Your Active Directory for User: MSOL


Open membership and give it Domain Admin, or delegate lower permissions if you want.



Open PowerShell and feel free to use this script for enabling Password Reset Write-back in DirSync:

[code language=”powershell”]

Script that collects credentials and activates Password Reset Write-back for DirSync.
The script imports PowerShell Cmdlets for DirSync, and gathers credentials, which must be same as when you installed DirSync.
Execute necessary PowerShell Command to enable Password Reset Wirte-back for DirSync.
Author: Roy Apalknes
Blog: royapalnes.wordpress.com
Email: roy.apalnes[at]gmail.com
The script are provided “AS IS” with no guarantees, no warranties, and they confer no rights.

#Import Cmdlets for DirSync
Import-Module DirSync

#Azure Active Directory Credentials
#Same Credentials as in DirSync configuration
$CloudUsername = ‘admin@apalnes365.onmicrosoft.com’
$CloudPassword = ConvertTo-SecureString ‘MyPassword’ -AsPlainText -Force
$CloudCred = New-Object System.Management.Automation.PSCredential $CloudUsername, $CloudPassword

#Active Directory Credentials
#Same Credentials as in DirSync configuration
$ADUsername = ‘apalnesadministrator’
$ADPassword = ConvertTo-SecureString ‘MyPassword’ -AsPlainText -Force
$ADCred = New-Object System.Management.Automation.PSCredential $CloudUsername, $CloudPassword

Enable-OnlinePasswordWriteBack -AzureADCredential $CloudCred -LocalADCredential $ADcred


End Result should show ‘Password reset Write-back is enabled.’


If you open Event Viewer for the DirSync Server, you can see the logging underneath Application and if you haven’t given Your MSOL Users necessary rights these two will popup:

FIMSynchronizationService: An unexpected error has occurred during a password set operation. “BAIL: MMS(9368): ..server.cpp(12601): 0x80230626 (The password could not be updated because the management agent credentials were denied access.) Forefront Identity Manager 4.3.647.0”

PasswordResetService: TrackingId: 85be9f13-a15a-46a2-83c6-62a191763339, Error Resetting Password, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230626 at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr) at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password) at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetPasswordInAD(String cloudAnchorValue, String sourceAnchorValue, String userPrincipalName, String password) at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetPassword(String encryptedCloudAnchor, String encryptedSourceAnchor, String userPrincipalName, String encryptedPassword, String callerTrackingId)





I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts