Active Directory
A set of directory-based technologies included in Windows Server.
6,750 questions
Conflict with SSPR and Password Writeback for AADDS Users
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 96%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Daniel Solomon
5
Reputation points
I'm having this issue with my tenant where we have on-prem users and cloud users, and AADDS users. Some of the current cloud users used to be on-prem users and were converted. DirSyncEnabled is set to FALSE and they have their Immutable IDs set to $null. but still possess the OnPremisesSecurityIdentifier.
These users are AADDS users and they need to use SSPR to reset their password as AADDS dictates.
When they do reset their password via aka.ms/sspr, they get the "Contact your admin and have them enable password write-back" Write back is enabled in SSPR but password write-back is NOT enabled on the on-prem Entra Sync. This is creating a conflict and effectively stopping any AADDS users from being able to reset their own password.
Is there a way to resolve this conflict? Do we have to reach out to MS support to remove the OnPremisesSecurityIdentifier for all of our users that need to have it removed? Is there a feature I'm missing that gets around this?
I've been in contact with MS Support and they are "actively working on the fix" since this is apparently affecting multiple organizations but they are not able to point to any learn articles that let us know what the actual issue is.
If we turn on Password Writeback on Entra Sync on the On-Prem server, are we able to disable it again?
What are the possible issues we might see with enabling Password Writeback on Entra Sync? I want to note again that we have On-Prem users, AADDS users and full cloud users.
After turning on Password Write back on-prem, how would issues manifest? How can we identify there are issues?
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 1,150 Reputation points Microsoft Vendor2024-12-18T10:17:04.9333333+00:00 Hello @Daniel Solomon ,
Thank you for reaching out Microsoft Q&A.
To resolve the conflict of getting error "Contact your admin and have them enable password write-back" enable the password write back Without password writeback, the AADDS user passwords cannot sync back to the on-premises AD and also Enabling password writeback ensures a seamless experience for AADDS users and allows them to manage their passwords independently via SSPR.
If you turn on Password Writeback on Entra Sync on the On-Prem server, do I able to disable it again? Yes, you can disable the password writeback, you can check with the following document: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback#enable-password-writeback-in-microsoft-entra-connect
The possible Common password Write back errors you can follow
Common-Password-Writeback-errorsHope this helps. Do let us know if you any further queries.
Regards,
Goutam Pratti.
Sign in to comment
Sign in to answer