Conflict with SSPR and Password Writeback for AADDS Users

Daniel Solomon 5 Reputation points
2024-12-17T16:14:41.0033333+00:00

I'm having this issue with my tenant where we have on-prem users and cloud users, and AADDS users. Some of the current cloud users used to be on-prem users and were converted. DirSyncEnabled is set to FALSE and they have their Immutable IDs set to $null. but still possess the OnPremisesSecurityIdentifier.

These users are AADDS users and they need to use SSPR to reset their password as AADDS dictates.

When they do reset their password via aka.ms/sspr, they get the "Contact your admin and have them enable password write-back" Write back is enabled in SSPR but password write-back is NOT enabled on the on-prem Entra Sync. This is creating a conflict and effectively stopping any AADDS users from being able to reset their own password.

Is there a way to resolve this conflict? Do we have to reach out to MS support to remove the OnPremisesSecurityIdentifier for all of our users that need to have it removed? Is there a feature I'm missing that gets around this?

I've been in contact with MS Support and they are "actively working on the fix" since this is apparently affecting multiple organizations but they are not able to point to any learn articles that let us know what the actual issue is.

If we turn on Password Writeback on Entra Sync on the On-Prem server, are we able to disable it again?

What are the possible issues we might see with enabling Password Writeback on Entra Sync? I want to note again that we have On-Prem users, AADDS users and full cloud users.

After turning on Password Write back on-prem, how would issues manifest? How can we identify there are issues?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,764 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,646 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.