Setting up Self-Service Password Reset with Writeback to On-premises

One of the important steps of achiving great user-experice is getting ease of access for end-users, including the ability to do self-service, which especially involved passwords which is the most common support issue that most support centers have.

As part of Azure AD you have the ability to setup Self-Service Password Reset as long as you are licensed, which is then available either as part of an Azure AD joined machine or from within a browser as long as you have access to Microsoft Online.

To use the feature you need one of the following licenses.
(Office 365 licenses including E3 or E5 is not included and therefore this will not work for those licenses)
  • Azure AD Premium P1
  • Azure AD Premium P2
  • Enterprise Mobility + Security E3 or A3
  • Enterprise Mobility + Security E5 or A5
  • Microsoft 365 E3 or A3
  • Microsoft 365 E5 or A5
  • Microsoft 365 F1
  • Microsoft 365 Business

If you are concerned about the security, the feature itself is quite safe.
The Feature is run trough Azure AD Connect but any actions done to it cannot be initiated directly. The network channel used for password writeback operations (for example password reset) is initiated from the Azure AD Connect computer on-premises to the cloud service using Azure Service Bus; this technology uses bi-directional sockets to enable the operations at runtime.

Now from a security perspective the communication uses the following encryption mechanisms.

RSA 2048 Private/Public key pair AES_GCM (256-bits key, 96-bits IV size)
When Azure AD Connect Is configured, a new private/public key is generated. The cloud backend only knows the public key and the Azure AD Connect keeps the private key. In addition to this, a AES_GCM symmetric key is exchanged for use at runtime. The key is 32 bytes (256-bit) key, 12 bytes (96-bit) nonce, 16 bytes (128-bit) tag. The requests from the cloud service include the new password (encrypted with the public key described above), as well as metadata. Then, the request information is encrypted with AES_GCM as described above and then sent onpremises via Azure Service Bus.

Implement Self-Service Password Reset in Azure AD Connect

First step is to enable, Password Writeback in Azure AD Connect.


And note: This feature works with federated, pass-through authentication, or password hash synchronized based users.

All users in the local Active Directory should have the following attributes populated. This can either be sourced from attributes in Active Directory that are synced out or if users have already enabled MFA on the users in Azure AD.
If MFA is not enabled that ensure that users have the following attributes added.

telephoneNumber Office phone
mobile Mobile phone

And if you have created your Azure AD connect service account with limited access you need to ensure that the service account has the following access to your local Active Directory to ensure it can change passwords.

  • Reset password
  • Change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

Once it is enabled you can see the feature will be reporting as available in the Azure AD Portal.
Here you can also define if users are allowed to reset their passwords without changing their passwords as well.


Under Properties you also define which user groups which are allowed to change their passwords.
You should only have a Azure AD Group enabled which contains users that are licensed to reset their passwords in case not all users have the correct licenses.


Also under registration you need to to define what kind of methods that need to be configured in order for the password reset option to be used for an end-users. If we have this enabled,


Password reset from Windows 10

This feature can also be used directly from Windows 10 login-screen. In order to have this feature enabled you need to have the following enabled.

This can be done either using OMA-URI with Intune or using Registry with Group Policy. The following OMA-URI settings needs to be configured in order to the option to be available for the end-users.


  • OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
  • Data type set to Integer
  • Value set to 1


  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
  • "AllowPasswordReset"=dword:00000001

After this has been configured you can see the following option appear from the login screen.
NOTE: This option will show regardless if the user has an assigned license or not or if the service has been configured.


It is important that this feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.

If your Windows 10 machines are behind a proxy server or firewall, HTTPS traffic (443) to and should be allowed.



Leave a Reply

Scroll to Top