Azure-Sentinel Playbook Reset-AADUserPassword - Password does not sync to On-prem AD

Path: Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword

I have deployed this solution Reset-AADUserPassword through Sentinel alert trigger

The playbook runs sucessfully. However, it resets the password for my test account at Azure cloud and the same password is not getting synced to my on-prem ad, please can you let us know what is the issue here password policy does match with organization requirements

Output status code: 204

Aug 03 '24 10:08 curiousbwoy

password sync

Aug 03 '24 11:08 curiousbwoy

Hi @curiousbwoy, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 16-08-2024. Thanks!

Aug 05 '24 06:08 v-sudkharat

Hi @curiousbwoy, Could you check for the required rolls and permission for your account which mentioned into the below readme file: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Reset-AADUserPassword/readme.md

Thanks!

Aug 13 '24 10:08 v-sudkharat

Hi @v-sudkharat , yes all the roles are assigned to the managed identity of the logic app we are testing this logic app against normal users who are on-premise synced with password administrator role assigned to Managed identity of logic app

we performed it for 2 users

user 1 - Azure AD user not synced to on-prem AD:- Logic app runs successfully temporary password is assigned and once this temporary password is utilized by user it asks for user to create new password due to "forceChangePasswordNextSignIn: true"

user2 - Azure AD user synced to on-prem AD:- logic app runs successfully as shown in above image but the password is not accepted when user tries to signin it says incorrect password

Aug 13 '24 12:08 curiousbwoy

@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks!

Aug 19 '24 05:08 v-sudkharat

Authorize Office 365 Outlook connection - is authorization done via API connection or should there be dedicated area to authorize?

Sep 13 '24 15:09 piExpr

@curiousbwoy how did it go? Similar use case but its delayed i suspect while MDI remediation is immediate.

Sep 13 '24 17:09 piExpr

Authorize Office 365 Outlook connection - is authorization done via API connection or should there be dedicated area to authorize?

@piExpr please can you highlight which connection needs to be authorized the issue we are facing is the temporary password generated by logic app is not getting synced to on-prem AD though we have Password writeback feature enabled

Sep 17 '24 05:09 curiousbwoy

@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks!

@v-sudkharat please let us know if were able to simulate the logic app for both scenario Azure AD on prem sync user Azure AD cloud only user not synced to on-prem

Sep 17 '24 05:09 curiousbwoy

@v-shukore, Please check on it.

Sep 18 '24 08:09 v-sudkharat

Hi @curiousbwoy,

Currently the api is looking for the users in the Entra ID for the Azure cloud and as which users are available those are able to update the password. But when the call is made to api for the users in on prem those users are not found in the directory which results in 204 user.

https://learn.microsoft.com/en-us/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0 https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

please check for the above documents and see if on-premises Active Directory that is synchronized to Microsoft Entra ID.

Thanks...!!

Sep 24 '24 08:09 v-shukore

Hi @curiousbwoy, waiting for your response on above comment. Thanks...!!

Sep 26 '24 09:09 v-shukore

Hi @curiousbwoy, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 02-10-2024 date, we will be closing this issue. Thanks...!!

Sep 30 '24 06:09 v-shukore

Hi @v-shukore,

I have tried to execute the api shared and used my account to search for the attributes, but the result returned is null I have tried using both beta as well as graph api v1.0 gitt

Oct 01 '24 14:10 curiousbwoy

@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks!

Oct 10 '24 06:10 v-shukore

Hi @curiousbwoy, As I can see that we are receiving a 200 OK status, but it is not able to find attributes in the directory. Please check if you have them at the source. Thanks!

Oct 28 '24 11:10 v-shukore

Hi @v-shukore, Thank you for the update, I have tried it on the logic app for my email address and well as other users and I was able to fetch the details

please can you guide how will I able to reset the password as the issue still persists

Oct 31 '24 05:10 curiousbwoy

further summarizing the temporary password generated by logic app is accepted at initial login and MFA is also accepted

However, due to flag "forceChangePasswordNextSignIn": true I am prompted to update the password and change it before been authorized further

here ideally the current password should be the one generated by logic app, however, it is not updated to onpremise and it gives the error stating this is not your current password

Oct 31 '24 05:10 curiousbwoy

Hi @curiousbwoy, we are still investigating this issue with team, will get back to you once done. Thanks...!!

Nov 15 '24 12:11 v-shukore

@curiousbwoy did you configured password writeback for those synced users from on-prem

Nov 27 '24 11:11 manishkumar1991

@curiousbwoy did you configured password writeback for those synced users from on-prem @manishkumar1991 yes password writeback is already configured for all users across organization level in AD

Dec 04 '24 07:12 curiousbwoy

Hi @curiousbwoy, we just want to make sure that you followed the proper documentation please confirm if you have followed below documentation. Thanks!! https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback

Dec 04 '24 09:12 v-shukore

Hi @curiousbwoy, please confirm you have followed above documentation. Thanks!!

Dec 09 '24 10:12 v-shukore

Hi @v-shukore

Please find the settings below unable to find the option - (Enable password writeback for SSPR) Check the option for Write back passwords to your on-premises directory.

Dec 09 '24 15:12 curiousbwoy

Hi @curiousbwoy, have you attempted to reset the password manually without using the playbook and confirmed if it syncs to the on-premises AD? Checked with the concerned team. It appears that this issue is not occurring for other users. Thanks!!

Dec 11 '24 10:12 v-shukore

Hi @v-shukore, Yes

We manually reset the password using the user's provided password, ensuring it meets the organization's password policy requirements.
We also manually reset the password using a password generated by the playbook, confirming that the playbook-generated password complies with the organization's password policy.

Both methods successfully synchronized the password with the on-premise Active Directory (AD).

Dec 12 '24 04:12 curiousbwoy

Hi @curiousbwoy,

Thanks for your response will share the update with concern teams and will get back to you.

Thanks.!!

Dec 18 '24 07:12 v-shukore

Hi @curiousbwoy In midpoint if i change password of user through administrator my password is not go in AD and google also.give me solution or documentation of reset password and force fully change password.

Dec 28 '24 20:12 Sneha9mahale

Hi @v-shukore,

I am also facing issue while resetting the password through sentinel playbook.

i have just created this simple playbook reset user password by next logon and here i am using authentication type is Active directory Oauth method.

its working fine but it ask user to reset password immediately once we ran the playbook and interrupts his work but i dont want to work like that.

it should give just a flag to reset a password in next logon. please help me to resolve the issue.

Jan 10 '25 05:01 prasadsm17

Still i am waiting for the update.

Please let me know the solution.

thanks.

Jan 15 '25 10:01 prasadsm17