Azure AD Password Writeback & Self Service (SSPR) | Sync accounts Office 365, WVD back to on-premise

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Applause] [Music] hello and welcome so this video is an extension of how to set up um ad connect using password right back so this will allow users to change azure active directory passwords and sync back to on-premise ad any password changes as shown in the diagram if you're looking how to set up ad connect from scratch to sync on-premise active directory to azure active directory then check out the links in the description below for the first part of the video an existing on-premise ad configured with current version of azure ad connect is a prerequisite in making this work and covered in that previous video with the links in the description so why would we want to use password right back in a hybrid environment where as your ad is connected to on-premise active directory without password right back users can cause passwords to be different between the two directories this means that if a user changes their azure id account then tries to log in when in the office on-premise their passwords will be different also covered in this video is using azure ad self-service password reset also known as sspr so users can reset their passwords or unlock their accounts using a web browser so password write back can be used to synchronize password changes in azure id back to your on-premise active directory azure ad connect provides a secure mechanism to send these password changes back to an existing on-premise directory from azure id so before we get started please subscribe to the cloud inspired channel videos posted weekly on cloud technical guides and certification thank you very much so in this video we will test password right back before the change we will also take a look at azure active directory licensing to enable the password right back feature we will take a look at account permissions enable password right back using ad connect on-premise integration we enable self-service password reset sspr and then finally we'll test password right back after we've enabled so first of all let's test and prove a user is unable to change their password without password right back configured and enabled so we have a user called a test adsync azure which is synced from on-premise active directory to azure id so we will log in with this user and attempt to change the password so once we are signed in to microsoft we can go to our account and we are can now attempt to change our password so if we click change password we then get a message uh you can't change your password your organization doesn't allow it this is because password right back is not enabled so we go into our active directory users if we go into password reset and an on-premise integration we can see that we get a message on-prem integration is not be enabled so everything is greyed out at this point [Music] i'm working as your ad tenant with at least an azure ad premium p1 trial license is also required to use password right back and to switch it on so i've used the trial azure the premium p2 license which you can see here and you can get a one month free trial of this so the links are below in the description if you wish to use this so our test adsync azure user is licensed for ad premium p2 it's also added to a group as you can see here so this is quite easy administration so within active directory we've created a group and we just add users to that group and then they will then get assigned the adp2 license automatically this group is fully synced from on-prem ad to azure ad using ad connect so using your already configured ad connect we need to take the account specified in azure ad connect and set the appropriate permissions and options so we can see which account is being used here if we go to adconnect and select the the view current configuration option the account you need to add permissions to is listed under synchronized directories so please refer to the microsoft document in the description for the following steps to enable account permissions for azure ad connect in your on-premise environment open active directory uses a computers with an account that has the appropriate domain admin permissions from the view menu make sure that the advanced features are turned on right click the route object to the domain and select properties security and then advanced from the permissions tab click add so for the principle select the account that the permissions should be applied to in our case this was the account shown earlier in ad connect in the applies to drop down list select descendants user objects under permissions select reset password and then scroll down and select right lockout time and continue the scroll down and select write pwd last set and then once done click ok and then click apply and then click ok okay so now after the permissions have been set on our account we need to now configure ad connect so if we open up ad connect if we click configure and then if we click custom synchronization options and then we need to enter our credentials of our azure global administrator account to connect to azure ad click next so click next on the directories page and also the domain an ou filtering page and then on the optional features page we have a tick box we need to tick called password right back to enable okay so if we tick this and if if we click next and then i'll speed up the video here once it configures so now we need to enable on-premise integration within the azure portal so if we go to azure active directory if we click users and if we go to password reset and then on-premise integration so we can see now this is uh enabled for us to choose and select so if we write back our passwords if we choose yes and if we allow users to uh unlock accounts without resetting their passwords if we also choose yes at this point and then click save now we also need to check our group policy within on-premise active directory as a minimum password age must be set to zero to enable password right back to work can be changed immediately so if we go to group policy management and default domain policy click edit if we drill down and go to windows settings under computer configuration security settings and if we go to account policies and password policy we can see our minimum password age is set to one at the moment so we need to set this to zero to make sure that password right back happens immediately [Music] so here we can switch on self-service password reset or sspr so we can choose to do this on a group level or we can just select it for all users and then if we choose authentication methods we just leave this as default but you can change this as required we'll leave this as one method to reset with email and sms we can also force a user to add a security question here as well so we can add predefined security questions or custom questions and we can also select with our users are forced to register when they sign in we have various notifications here where you can notify users on the password resets we'll leave that as default we can also notify admins when other admins reset their password as well and we can use a custom url if required so now let's test this all out to see whether it's working so we've enabled uh password right back so if we log in with our sync to user as we did before to see whether we can change um our azure ad password so i'll approve the sign-in request if we now go to our account then if we click change password so now we don't get the message we're unable to do this we basically type our old password confirm our new passwords okay now that's changed successfully within the portal let's just check to see whether it's actually synced back to our on-premise azure active directory so if we now rdp to our on-premise active directory domain controller and we log in with our on-premise active directory account we can now see that we can log in successfully using our synced password which is written back from our journey d to our on premise a d so thanks for watching the video hope you enjoyed please subscribe to the channel to get notified of future weekly videos on cloud technical guides and certification see you all soon thank you
Info
Channel: Cloud Inspired
Views: 4,432
Rating: undefined out of 5
Keywords: azure, password writeback, azure ad, ad connect, office 365, wvd, sspr, self service, password, sync, back, on premise, integration
Id: vQVA1NTV5IY
Channel Id: undefined
Length: 11min 45sec (705 seconds)
Published: Sat Jan 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.