If you are licensed for AZURE AD premium P1 or P2 , you are eligible to use this feature.
Many enterprise already own it as they opt for EMS 3 (enterprise mobility & security E3) that include AD premium plan 1.
This feature is easy to implement and doesn't require extra hardware or software and it also works with on-premise AD.
Below are the steps that we have followed and implemented it for one of our clients.
First and foremost step is to enable password writeback on your AZURE AD connect server.
- if your domain controllers are of 2008 version than hotfix KB2386717 is required.
We tried to implement it without this hotfix & it was not working till it was installed.
- Enable password write back in AZURE AD connect.
- Verify the permissions for the AZURE AD connect account.
- Reset Password
- Change Password
- Write lockoutTime
- Write pwdLastSet
- Log on to AZURE AD --> Password Reset
Under properties --> Choose selected and Select the AD group ( We can do this instead of all to demo/test the capability first before rolling out to the whole organization)
Select Authentication methods (we selected single & mobile for demonstration)
Under registration we selected NO as we don't want any registration is prompted to users when they login to o365.
Next is notifications -->We chose defaults
Under on-premise integration, Select write-back and if you want to users to have unlock option as well than choose yes for unlock.
That is it, we are done now, lets see a small demo of it.
go to link https://passwordreset.microsoftonline.com/
Type User id & Captcha
In next step it will get your mobile from active directory & asks you to type the mobile number as it only shows last 2 digits.
you can use either voice or test option to your mobile phone.
ones that is verified you are presented with below screen to change your password,
.This operation is synchronous so password is immediately usable.
Good thing is with password write-back enabled we are getting one other feature that is change your password from office 365 console.
You have seen, how easy is this to implement & how seamless it works without much complications.
You can refer more on Microsoft site if you have doubts about the security/encryption standard it follows.
Thanks for reading