M365 to on-premise sync does not write initial M365 password to on-premise

That Cable Guy 0 Reputation points
2024-12-10T15:24:50.74+00:00

Hi

This is our work flow.

  1. We create an account in Microsoft 365 and assign a A1 or A3 license.
  2. We create an account on-premise in Active Directory.
  3. We sync this using Microsoft Entra AD Connect (version 2.4.27.0)
  4. Sync works (symbol behind account changes from cloud to server)

The problem: Unable to login on-premise with the account's existing password.

Resetting the account's password in Active Directory resolves this, but that is no solution. We have a bunch of accounts which need to be synced up and we don't want them to have to change their password because of this.

As far as I understand password hash (?) and write-back is working. When changing this password on-premise or in the cloud it works on the other environment within a couple of minutes.

Am I missing something?

Kinds regards
That Cable Guy

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,764 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 151K Reputation points MVP
    2024-12-10T15:48:51.2766667+00:00

    Im confused:

    1. We create an account in Microsoft 365 and assign a A1 or A3 license.
    2. We create an account on-premise in Active Directory

    Why are you creating two accounts? The account should created on-prem then allowed to sync to Azure.


  2. Akhilesh Vallamkonda 10,860 Reputation points Microsoft Vendor
    2024-12-18T17:29:27.5566667+00:00

    Hi @That Cable Guy

    The account creation orders should be created on-premises first and then synced to Microsoft 365.
    On-premises Active directory and Microsoft 365 are two different directories, you can sync the on-premises directory users, groups & devices to Microsoft 365 directory with the tool called Microsoft Entra Connect so that on-prem users are sync to cloud and can utilize the cloud recourses. But you cannot sync the Microsoft 365 cloud users to on-premises directory, because the Microsoft Entra Connect is not support the user writeback because this feature is removed in the August 2015 update to Microsoft Entra Connect.
    If you enable the Password writeback in Entra connect the password has sync and password write back work for the on-prem users only.
    from your ask, you said Unable to login on-premises with the account's existing password, is this user is created in on-premises AD or Microsoft365 portal or you created two accounts in both on premises and AD?
    If you created the user in on-premises AD and you have use the Entra connect tool the user should sync from on-premises AD to Microsoft365 portal, for this user the password writeback and password hash sync should work.
    If you are using the Microsoft 365 accounts which is created in the portal for on-premises the behavior is expected, because the users have existed in the Microsoft 365.

    Do let us know if you any further queries by responding in the comments section.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.