I'm testing Azure AD Connect on a small "test" domain before I proceed with a full sync of our domain.
Unfortunately, I'm having some problems. Before I get to the problems, here's my setup:
- The name of the domain is NOT the same as the Azure domain, but an added UPN suffix IS.
- I've set-up AD Connect to sync only a single OU (for testing)
- The OU contains a single User with a manually specified email.
- The same user was created manually in Azure prior to starting the sync process. The Azure user was given an email licence, and an email address.
- Azure AD connect was set up with pretty basic settings. Password write-back was enabled as part of those settings. The system is set up to only sync that single OU specified earlier.
It appears that changing the test user's password in my local AD (and waiting for a sync) does update the password in Azure. However, the operation appears to be one-way, despite password write-back being enabled. Logged in as the test user I can request a password change without any issues (AND this new password starts to work for online logins), however this is never replicated in my local AD (old password works, new password doesn't).
There's an event log that happens at the same time the password is changed, but it doesn't really get me anywhere.
TrackingId: 5a76d0fc-3248-42b6-9a7a-cf8265766f38, HeartBeat for Namespace: ssprdedicatedsbprodscu, Endpoint: 3333b860-8fed-4146-aaeb-682401d60e10_2f466786-5627-462d-bcf7-ffc4bf83e8a0, Details: Version: 5.0.0.1541
I also tried to use the AD Connect troubleshooting portal, but that detected no faults.
Any idea how to proceed with debugging / fixing this?
As @joeqwerty this is a premium feature available only to AzureAD P1 and P2 subscriptions.
This is the current page that covers licensing and the password management options with AzureAD: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing