Azure writeback and password reset via ADUC

you need to configure Azure SSPR - self service password reset for your users (password write back)
this requires Azure AD premium license or even ems license will do.
check
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback

if you don't want to invest in licenses and if you have adfs infra, you can enable password reset on adfs as well
https://blogs.msdn.microsoft.com/samueld/2015/05/13/adfs-2012-r2-now-supports-password-change-not-reset-across-all-devices/

but azure write back option is more secure with OTP, verification call etc

Are you sure you've assigned Azure AD?P1 licenses? As I recall Microsoft 365 Business does NOT include P1, Microsoft 365 Enterprise does.

Without that, password write back won't work.

HI

I believe that the Azure SSPR is configured.

The test-user has a Azure AD P1 license as well as M365. Forcing password reset / user must change passord at next logon via ADUC works if the user logs in a domain Computer. Also, after he/she has changed the new password at the domain Computer it is passed to M365. Is there any further tests I can do? Any oither thoughts?

Further more

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback
The account specified in the Azure AD Connect utility must have the following items set if you want to be in scope for SSPR.

The instructions doesn't seem to be accurate to my Server 2016 domain. Is there any Power Shell Command or similiar to check the account permissions are correct? The account (admin@mydomain.fi is a Enterpise admin for example.

ccessChk v6.12

PS C:\Windows\system32> Accesschk “MyDomain\admin” -a *

Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

Error enumerating account for the ADSyncAdmins group:
The system cannot find the file specified.
Error enumerating account for the Denied RODC Password Replication Group group:
The system cannot find the file specified.
        SeSecurityPrivilege
        SeBackupPrivilege
        SeRestorePrivilege
        SeSystemtimePrivilege
        SeShutdownPrivilege
        SeRemoteShutdownPrivilege
        SeTakeOwnershipPrivilege
        SeDebugPrivilege
        SeSystemEnvironmentPrivilege
        SeSystemProfilePrivilege
        SeProfileSingleProcessPrivilege
        SeIncreaseBasePriorityPrivilege
        SeLoadDriverPrivilege
        SeCreatePagefilePrivilege
        SeIncreaseQuotaPrivilege
        SeUndockPrivilege
        SeManageVolumePrivilege
        SeImpersonatePrivilege
        SeCreateGlobalPrivilege
        SeTimeZonePrivilege
        SeCreateSymbolicLinkPrivilege
        SeChangeNotifyPrivilege
        SeDelegateSessionUserImpersonatePrivilege
        SeEnableDelegationPrivilege
        SeInteractiveLogonRight
        SeNetworkLogonRight
        SeBatchLogonRight
        SeRemoteInteractiveLogonRight
        SeIncreaseWorkingSetPrivilege
PS C:\Windows\system32>

1st of all find service account used for Azure AD Connect
u will found it if you run Azure AD Connect shortcut on desktop and after initialization run, "view current configuration, there you will find which account is configured
go to aduc, domain.com properties and grant change password, reset password, write lockouttime, write Pwdlastset to this account
Also allow direct internets access to AD connect server

Hi

As in my initial question's screenshot shows the service account seems to be mydomain.local\administrator. To me it seems that I can't change it to, lets say, to admin@mydomain.fi. Is the problem that?

Ok
I miss out screen shot.
mydomain.local\administrator is the service account...
I think is AD built-in administrator with domain admins membership, correct?
U can't change above account now, by granting another account permissions will not work because service account is used to impersonate and reset ad password
U already have admin rights with administrator account, so permissions is not an issue.........

if you go to ad connect server and check azure sync service runs under which account?
If its different, change it to current service account shown in screen shot

if you want to change service account, you need to run setup again with custom config and select "use service account" and there specify new service account

Well. I just rerun the Azure AD Connect wizard by using the account I used originally. Please see attached PrintScreen. Does the service account have correct permissions?

While waiting your answer I just chech how passowrds works now.
Azure-AD-Connect-Settings-account-th.JPG

the service account should have correct permissions on domain.com properties in ADUC as highlighted in article and not account itself properties

now ensure that account shown in services and in configuration overview screen shot is same, then only it works
If you are keeping built-in ad administrator account as service account, it should work as long as services also showing same account

BTW. The Computer which I'm using for this test is a Win 7 Ultimate and it is joined to different domain. I can't see Event ID 31005 at the server.

The test user is using Firefox and after I made the password reset at the ADUC/ user must change passord at next logon, the test user tryes to login at http://mail.office365.com.

Aha, please check attached Print Scree. Is that user the one I need to grant pw reset etc permissions as adviced here?
Azure-AD-Connect-Service-Account-Per.JPG

yes, try it, else change it to original administrator (one showcased in configuration overview) under services.msc and definitely it will work

Hmm.. Still, it is not working. I don't dear to change ADSync Service account's Log On account. Currently it is the MyDomain\AAD_....

If I change it to Built in Administrator Account (Enterprise Admin) and want to switch it back to MyDomain\AAD_....  it would probably ask for the password and that I don't have, Right?

I may try test this:
Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

as Vasil Michev (MVP) suggested elsewhere.

I don't think this is a service account Ossie, unless I misread the behavior.

If password writeback was failing, the user would he prompted to change their password online  but an error would occur when they submit their new password.

If they are not even prompted to change their password online then Azure sees the account as synced and NOT enabled for password writeback. Which is a configuration with the online me account / license.

There won't be any issue in changing service account, I already done this exercise in past and manually changed service account
did you getting password change option when trying to reset from azure password change portal
 the user has to register with portal initially
https://aka.ms/ssprsetup

did you getting below stuff upon trying to reset password?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-reset-register

Aha

 Set-MsolUserPassword PS command worked for Off Shore user. How ever not for Domain User who sits in the AD LAN. I mean, if the Domain User Logs on the Computer it won't force him/her to change the password. Only if he/she goes to http://mail.office365.com it will force the password change.

 But this is better all ready. Is there any PowerShell comman to set pwd change to a OU or Group? Need to be carefull though.

Hmm. It seems that now everything works as it shoud. I will test a little bit more and post the results here. The AAD_.. service account didn't have enough rights  and the trick were:
https://jaapwesselius.com/2016/03/18/office-365-password-writeback/ hinted By Mahesh.

It is bit tricky to provide correct permissions via Active Directory Users and Computers / Advances view but taking the leap of faith I was able to set this up just the way I planned. Thanks for help.