Ctrlk

AZ_PASSWORD_WRITEBACK

Summary

FSProtect ACL Alias

AZ_PASSWORD_WRITEBACK

Entra ID (Azure AD) Alias

Password writeback

Affected Object Types

AZ Group, Group

Exploitation Certainty

Certain

Description

AZ_PASSWORD_WRITEBACK represents that password writeback is enabled for a hybrid identity deployment.

Password writeback allows password resets/changes performed in Microsoft Entra ID (for synced users) to be written back to on-premises Active Directory Domain Services (AD DS) in near real time through Microsoft Entra Connect or Cloud Sync.

Security impact:

  • This feature creates a cloud → on-prem credential control path.

  • If an attacker can reset a synced user’s password in Entra ID (for example via AZ_RESET_PASSWORD or mis-scoped SSPR), the attacker may gain the corresponding on-prem AD password as well.

  • The on-prem writeback agent enforces on-prem password policy when writing back.

Identification

Azure GUI

  1. Log in to the Azure portal.

  2. Open Microsoft Entra ID.

  3. Click Password reset.

  4. Click On-premises integration.

  5. Locate Write back passwords to your on-premises directory.

  6. Confirm whether it is checked or not.

Exploitation

AZ_PASSWORD_WRITEBACK is not an exploit by itself. It increases impact of other edges:

  • If a principal can reset a synced user’s password using AZ_RESET_PASSWORD in Entra ID, and password writeback is enabled, the reset can also update the on-prem AD password.

  • If the target user is privileged on-prem (for example, can RDP/WinRM, is a local admin, or has AD rights), this can enable rapid pivot to on-prem infrastructure.

Mitigation

  • Disable password writeback if it is not strictly required.

  • Scope SSPR to the minimum set of users/groups and require strong authentication methods.

  • Minimize who holds password reset capabilities (see AZ_RESET_PASSWORD) and prefer just-in-time privileged access (PIM).

Detection

Azure

See AZ_RESET_PASSWORD. Monitor Microsoft Entra Audit logs for password reset operations against synced users; with writeback enabled, these resets can also impact the on-prem AD password.

Active Directory

See ForceChangePassword. Monitor on-prem AD events where user passwords are reset/changed or users are forced to change password at next logon; correlate the actor/service account used by the writeback mechanism.

References

  • https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback

  • https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback

  • https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback

  • https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features

  • https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4724

PreviousAZ_PARTNER_TIER2_SUPPORTNextAZ_PRIVILEGED_AUTH_ADMIN

Last updated

Was this helpful?