Passwords, attributes and more in Azure AD and AD DS

Having an Azure AD as your additional or main directory is a good thing. Unlike AD DS, which is built having primarily on-premises environments in mind, Azure AD is much more flexible and more adoptable to today’s hybrid environments. As most of us probably know, Azure AD serves as a directory and as authentication/authorization mechanism for most of services running on Azure. Most commonly, it is used by Office 365. However, it is even more interesting when you use it together with your local AD DS environment. Synchronization between AD DS and Azure AD is very easy to setup – if you don’t need much customization, you can do it in literally few clicks. On the other hand, if you want to customize it or do some fine tuning – you have plenty of options for that.

In this post, I want to emphasize some less known things and facts regarding passwords and attributes of user accounts when using Azure AD in hybrid environment, with locally deployed AD DS.
One of the things that are so desperately missing from AD DS is self-service password reset. Sure, you can implement it on the AD DS if you deploy Microsoft Identity Manager, but usually it’s not worth so much. Azure AD provides you with this functionality out-of-the-box. However, in hybrid, if you use Azure AD Premium P1 or P2, you can use this functionality even for your local AD DS. All you have to do is to configure self-service password reset in Azure AD admin portal, while having password-write back enabled by Azure AD Connect (followed by few PS commands executed locally to set appropriate permissions to write passwords).


Self-service password reset functionality gives users the option to reset their own password without requiring intervention by an administrator. To reset a password, users must do additional authentication of their identity. The following alternative authentication methods are available – Email, Mobile phone, Office phone, Security questions. These alternative authentication methods must be setup by user before actually using this functionality. You can find very good resources on SSPR here: and for password write back, see here:


Users can change their passwords via the login page or user settings in Office 365, and have them written back to on-premises AD DS, when you deploy Office 365 in hybrid scenario.

Let’s see few more useful things about user accounts when used in hybrid environment:

  • If you accidentally delete a user account and a directory synchronization cycle runs, this action will delete the user in Office 365. However, if you have the recycle bin feature enabled in AD DS, you can recover the account from the recycle bin, and the link between accounts is re-established. If you do not have the recycle bin enabled, you might need to create another account with a new GUID.
  • Synchronized user accounts that you delete from your local AD DS will also appear in Deleted users section in Office 365 admin center. However, if you restore this type of deleted user account, it will reappear as account created in cloud and will not be synchronized with local AD DS anymore.
  • Password policy that you configure in the Office 365 applies to user accounts created in Office 365. However, if you synchronize user accounts from your local AD DS, these accounts will be affected by password policy that you configure by using Group Policy in your local domain. Password settings from your local AD DS override password settings in Office 365, for synchronized accounts.
  • You should be aware that for synchronized user accounts with password hash sync, their corresponding cloud account password is set to Never Expire. This means that a user can continue to sign in to Office 365 by using a synchronized password that is expired in your on-premises AD DS. Cloud password for such user is updated when a user changes the password in the on-premises environment.
  • If you have user accounts in your local AD DS that are set to expire at some time, as part of user account management, you should know that accountExpires attribute is not synchronized to Office 365. Because of this, an expired account in your local AD DS, configured for password hash synchronization will still be active in Office 365. It is recommended in this scenario that you have a workflow action that runs a PowerShell script that disables the user’s account in the Office 365.

Author: ddamir

Damir Dizdarevic is a and IT professional. He works as a manager of MS CPLS Learning Center in Logosoft Sarajevo, and as a lecturer and author of MOC courses. Occasionally, he also works as a system designer for complex enterprise environments. He is a founding member and president of Bosnian Microsoft Community. He has been working with Microsoft platforms for the last 17 years and he is particularly specialized in Windows Server, Exchange Server, mobility and virtualization. Microsoft awarded him with the Most Valuable Professional – MVP status for his outstanding contribution in sharing knowledge about Microsoft Server products, large number of lectures he delivered, and for his high technical competence. Damir owns several technical certificates (MCSE, MCTS, MCITP, and MCT) for Windows Server 2012, 2008 R2, Exchange Server 2010, Security and Hyper-V. He is regular presenter on conferences in ex-Yu region. On Microsoft Sinergija conference, for previous 7 years, each time he was graded as one of top three speakers. On a Bosnian MS conference, he is the best speaker for last two years. He is also a regular and highly graded presenter on other Microsoft conferences in region such as NT Conference (Slovenia), Microsoft Vizija (Macedonia), Microsoft Windays (Croatia), MS Technet, Mobility Day, KulenDayz etc. Damir is one of very few trainers in Europe who works as an author and reviewer of official MOC courses. In previous year, he was authoring courses 20417 (Upgrading Skills to Windows Server 2012), 20414 (Implementing an Advanced Server Infrastructure), 20412( Configuring Advanced Windows Server 2012 Services) and 20410 (Installing and Configuring Windows Server 2012). Also, he was authoring System Center 2012 courses and currently he is working on Exchange Server 2013 and Windows Server 2012 R2 courses. In addition, he has been working for 16 years now as one of the editors of BiH IT magazine INFO, where he published more than 300 technical articles, and he is also writing for the famous Windows ITPro Magazine (some of his work can be found at:

Leave a Reply

Your email address will not be published. Required fields are marked *