I’ve configured password writeback dozens of times, but just recently, I stumbled upon the ADSyncConfig PowerShell module. If you don’t know how to configure password writeback, it’s a fairly simply process. You can follow the Microsoft Learn document for a tutorial. However, this post will look at making the permissions section much more efficient and less prone to user error. The MS Learn article provides a great tutorial, but there is no mention of the ADSyncConfig PowerShell module.
There are several useful functions contained in the ADSyncConfig module. The one I will focus on in this post is Set-ADSyncPasswordWritebackPermissions. This will automatically set all the necessary password writeback permissions in Active Directory for the Entra Connect service account. No more clicking around in AD to set permissions. In addition, there is a function to identify any AD objects with inheritance disabled. So, you can identify any accounts that need manual intervention. Here’s how we can use the ADSyncConfig module to configure password writeback permissions.
First, the ADSyncConfig module is dependent on the ADDS PowerShell module. So, we need to install RSAT tools. Open PowerShell and run Install-WindowsFeature RSAT-AD-Tools
Next, we can import the module by running Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”. After the module is imported, we can start using the functions. Let’s see what the service account is that Entra Connect is using. For this, we can use Get-ADSyncADConnectorAccount.
Now that we have the service account, we can set the password writeback permissions. We simply use Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN ‘<DN of service account>‘. My example is below. Answer Y to all the confirmation prompts. This will set all the required password writeback permissions for the service account.
If you don’t know how to find the DN of the service account, you can use attribute editor in Active Directory. Under the service account properties, click the attribute editor tab, and copy the value for distinguishedName:
Lastly, don’t forget to enable password writeback in Entra Connect following these steps – Enable Microsoft Entra password writeback – Microsoft Entra ID | Microsoft Learn.
