Azure writeback and password reset via ADUC

Hi

A Microsoft 365 Business setup and Azure AD P1 subscription and Win Server 2016 Enterpise On Premises AD.
When I forced a password reset to a user via ADUC and checked "user must change passord at next logon" it doesn't work. At the o365 portal login (http://mail.office365.com or https://portal.office.com) he/she gets an error saying:
"Your email or password is incorrect. If you don't remember your password, reset it now"
How to make this work (for off Shore workers)? At the LAN Computer this works but the goal is has this working also for off shore workers.
Azure-AD-Connect-Settings.JPG
RimFire007Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
you need to configure Azure SSPR - self service password reset for your users (password write back)
this requires Azure AD premium license or even ems license will do.
check
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback

if you don't want to invest in licenses and if you have adfs infra, you can enable password reset on adfs as well
https://blogs.msdn.microsoft.com/samueld/2015/05/13/adfs-2012-r2-now-supports-password-change-not-reset-across-all-devices/

but azure write back option is more secure with OTP, verification call etc
1
Cliff GaliherCommented:
Are you sure you've assigned Azure AD?P1 licenses? As I recall Microsoft 365 Business does NOT include P1, Microsoft 365 Enterprise does.

Without that, password write back won't work.
0
RimFire007Author Commented:
HI

I believe that the Azure SSPR is configured.

The test-user has a Azure AD P1 license as well as M365. Forcing password reset / user must change passord at next logon via ADUC works if the user logs in a domain Computer. Also, after he/she has changed the new password at the domain Computer it is passed to M365. Is there any further tests I can do? Any oither thoughts?
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

RimFire007Author Commented:
Further more

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback
The account specified in the Azure AD Connect utility must have the following items set if you want to be in scope for SSPR.

The instructions doesn't seem to be accurate to my Server 2016 domain. Is there any Power Shell Command or similiar to check the account permissions are correct? The account (admin@mydomain.fi is a Enterpise admin for example.

ccessChk v6.12

PS C:\Windows\system32> Accesschk “MyDomain\admin” -a *

Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

Error enumerating account for the ADSyncAdmins group:
The system cannot find the file specified.
Error enumerating account for the Denied RODC Password Replication Group group:
The system cannot find the file specified.
        SeSecurityPrivilege
        SeBackupPrivilege
        SeRestorePrivilege
        SeSystemtimePrivilege
        SeShutdownPrivilege
        SeRemoteShutdownPrivilege
        SeTakeOwnershipPrivilege
        SeDebugPrivilege
        SeSystemEnvironmentPrivilege
        SeSystemProfilePrivilege
        SeProfileSingleProcessPrivilege
        SeIncreaseBasePriorityPrivilege
        SeLoadDriverPrivilege
        SeCreatePagefilePrivilege
        SeIncreaseQuotaPrivilege
        SeUndockPrivilege
        SeManageVolumePrivilege
        SeImpersonatePrivilege
        SeCreateGlobalPrivilege
        SeTimeZonePrivilege
        SeCreateSymbolicLinkPrivilege
        SeChangeNotifyPrivilege
        SeDelegateSessionUserImpersonatePrivilege
        SeEnableDelegationPrivilege
        SeInteractiveLogonRight
        SeNetworkLogonRight
        SeBatchLogonRight
        SeRemoteInteractiveLogonRight
        SeIncreaseWorkingSetPrivilege
PS C:\Windows\system32>
0
MaheshArchitectCommented:
1st of all find service account used for Azure AD Connect
u will found it if you run Azure AD Connect shortcut on desktop and after initialization run, "view current configuration, there you will find which account is configured
go to aduc, domain.com properties and grant change password, reset password, write lockouttime, write Pwdlastset to this account
Also allow direct internets access to AD connect server
0
RimFire007Author Commented:
Hi

As in my initial question's screenshot shows the service account seems to be mydomain.local\administrator. To me it seems that I can't change it to, lets say, to admin@mydomain.fi. Is the problem that?
0
MaheshArchitectCommented:
Ok
I miss out screen shot.
mydomain.local\administrator is the service account...
I think is AD built-in administrator with domain admins membership, correct?
U can't change above account now, by granting another account permissions will not work because service account is used to impersonate and reset ad password
U already have admin rights with administrator account, so permissions is not an issue.........

if you go to ad connect server and check azure sync service runs under which account?
If its different, change it to current service account shown in screen shot

if you want to change service account, you need to run setup again with custom config and select "use service account" and there specify new service account
0
MaheshArchitectCommented:
here is one more link to configure write back with screen shots
https://jaapwesselius.com/2016/03/18/office-365-password-writeback/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RimFire007Author Commented:
Well. I just rerun the Azure AD Connect wizard by using the account I used originally. Please see attached PrintScreen. Does the service account have correct permissions?

While waiting your answer I just chech how passowrds works now.
Azure-AD-Connect-Settings-account-th.JPG
0
MaheshArchitectCommented:
the service account should have correct permissions on domain.com properties in ADUC as highlighted in article and not account itself properties

now ensure that account shown in services and in configuration overview screen shot is same, then only it works
If you are keeping built-in ad administrator account as service account, it should work as long as services also showing same account
0
RimFire007Author Commented:
BTW. The Computer which I'm using for this test is a Win 7 Ultimate and it is joined to different domain. I can't see Event ID 31005 at the server.

The test user is using Firefox and after I made the password reset at the ADUC/ user must change passord at next logon, the test user tryes to login at http://mail.office365.com.
0
RimFire007Author Commented:
Aha, please check attached Print Scree. Is that user the one I need to grant pw reset etc permissions as adviced here?
Azure-AD-Connect-Service-Account-Per.JPG
0
MaheshArchitectCommented:
yes, try it, else change it to original administrator (one showcased in configuration overview) under services.msc and definitely it will work
0
RimFire007Author Commented:
Hmm.. Still, it is not working. I don't dear to change ADSync Service account's Log On account. Currently it is the MyDomain\AAD_....

If I change it to Built in Administrator Account (Enterprise Admin) and want to switch it back to MyDomain\AAD_....  it would probably ask for the password and that I don't have, Right?

I may try test this:
Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

as Vasil Michev (MVP) suggested elsewhere.
0
Cliff GaliherCommented:
I don't think this is a service account Ossie, unless I misread the behavior.

If password writeback was failing, the user would he prompted to change their password online  but an error would occur when they submit their new password.

If they are not even prompted to change their password online then Azure sees the account as synced and NOT enabled for password writeback. Which is a configuration with the online me account / license.
0
MaheshArchitectCommented:
There won't be any issue in changing service account, I already done this exercise in past and manually changed service account
did you getting password change option when trying to reset from azure password change portal
 the user has to register with portal initially
https://aka.ms/ssprsetup

did you getting below stuff upon trying to reset password?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-reset-register
0
RimFire007Author Commented:
Aha

 Set-MsolUserPassword PS command worked for Off Shore user. How ever not for Domain User who sits in the AD LAN. I mean, if the Domain User Logs on the Computer it won't force him/her to change the password. Only if he/she goes to http://mail.office365.com it will force the password change.

 But this is better all ready. Is there any PowerShell comman to set pwd change to a OU or Group? Need to be carefull though.
0
RimFire007Author Commented:
Hmm. It seems that now everything works as it shoud. I will test a little bit more and post the results here. The AAD_.. service account didn't have enough rights  and the trick were:
https://jaapwesselius.com/2016/03/18/office-365-password-writeback/ hinted By Mahesh.
0
RimFire007Author Commented:
It is bit tricky to provide correct permissions via Active Directory Users and Computers / Advances view but taking the leap of faith I was able to set this up just the way I planned. Thanks for help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.