Enable Password Writeback in AD Connect

Correct Answer: B

Password change is supported in the Free tier, but password reset is not.

In order to enable the service, you must upgrade to a paid tier.

Option A is incorrect.

A dynamic security group use rules to determine group membership based on user or device properties.

Option C is incorrect.

MFA is not required to enable self-service password reset.

Your user will however have to register for password reset by going through an authentication method workflow.

Option D is incorrect.

You do not have to change number of methods to 2, although this would improve security.

To know more about Active Directory self-service password reset, please refer to the link below:

When using AD Connect to synchronize on-premises Active Directory user accounts to Azure AD, administrators have the option to enable password writeback. This feature allows users to reset their own passwords from the Office 365 portal or the Azure AD self-service password reset portal, and the new password is then written back to on-premises Active Directory.

However, enabling password writeback alone may not be enough to allow users to reset their own passwords. Here are the possible reasons why users are not able to reset their passwords and the necessary steps to take to resolve the issue:

1. Verify that password writeback is enabled: Check the AD Connect configuration and ensure that password writeback is enabled. To do this, launch the Azure AD Connect wizard on the on-premises server, select "Configure" and then "Configure device options". On the "Optional features" page, select "Password writeback" and complete the wizard. If password writeback is already enabled, proceed to the next step.

2. Verify that users are synced to Azure AD: Check that the users you want to enable for password reset are actually synced to Azure AD. To do this, go to the Azure portal, navigate to Azure Active Directory, and then select "Users". Check that the users are listed and that their account status is "Synced with Active Directory".

3. Assign users the necessary permissions: To allow users to reset their own passwords, they need to be assigned the "Reset Passwords" role in Azure AD. This can be done by either adding them to the "Password Administrators" or "Global Administrators" built-in roles, or by creating a custom role that includes the "Reset Passwords" permission and assigning that role to the users.

4. Enable self-service password reset: Once the users have been assigned the necessary permissions, self-service password reset needs to be enabled in Azure AD. To do this, go to the Azure portal, navigate to Azure Active Directory, and then select "Password reset". Select the "Self-service password reset" option and configure the necessary settings, such as the number of methods required for password reset and the authentication methods allowed.

In summary, to enable users to reset their own passwords after enabling password writeback in AD Connect, you need to verify that password writeback is enabled, ensure that users are synced to Azure AD, assign users the necessary permissions, and enable self-service password reset in Azure AD.

Option A (creating a dynamically assigned security group and adding users) is not directly related to enabling users to reset their own passwords and is not necessary in this scenario.

Option B (upgrading to Azure AD Premium) is not necessary to enable users to reset their own passwords, although it does offer additional features such as password protection and smart lockout.

Option C (enabling multi-factor authentication) is not necessary to enable users to reset their own passwords, although it does enhance security and can be required as an additional authentication method during password reset.

Option D (changing the number of methods required to reset from 1 to 2) is a step in the process of enabling self-service password reset, but it is not sufficient on its own to allow users to reset their own passwords.