Entra ID Password Writeback: Security Risks, Architecture, and How to Harden the Configuration

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Password writeback bridges cloud and on-premises identity in a way that introduces a new attack surface: a cloud administrator or attacker who compromises the Entra ID tenant can use SSPR or the admin password reset feature to set a new password for on-premises AD accounts -- if those accounts are in the writeback scope. If the writeback scope includes Domain Admins or other Tier 0 accounts, a cloud compromise can lead directly to on-premises domain takeover. Understanding the writeback architecture and its scope controls is essential for any hybrid Active Directory environment.
How Password Writeback Works Architecturally
The writeback flow: a user initiates a password reset via the Entra ID SSPR portal or an admin initiates a reset in the Entra admin center. Entra ID validates the reset (MFA, security questions) and processes the new password. The new password hash is encrypted and sent to the Entra Connect agent running on the Entra Connect server on-premises. The Entra Connect agent receives the instruction via the service bus connection (outbound HTTPS from on-premises to Azure Service Bus -- no inbound ports required). The agent uses the Active Directory Connector Account (ADCA) -- the Entra Connect service account -- to set the new password on the AD user object. The ADCA needs 'Reset Password' permission on the user objects in scope in AD. The security implication: anything that can trigger a password reset in Entra ID (a Global Administrator, an Authentication Administrator, or SSPR if configured for the account) can indirectly set the on-premises AD password for accounts in the writeback scope.
The Core Risk: Writeback Scope Includes Privileged Accounts
The most significant risk is writeback scope that includes Tier 0 on-premises accounts. If the Entra ID writeback scope covers the Domain Controllers OU or the Tier 0 admin accounts OU: a Privileged Authentication Administrator in Entra ID can reset the on-premises password of a Domain Admin account. A compromised Entra ID Global Admin (via token theft, AiTM phishing, etc.) can reset every synchronized account's on-premises password, effectively becoming a domain admin without needing to compromise the on-premises AD directly. Mitigation: exclude Tier 0 OUs from Entra Connect synchronization entirely. Tier 0 accounts (Domain Admins, Enterprise Admins, Schema Admins, the Entra Connect service account itself) should be cloud-only or on-premises-only -- never synchronized across the boundary. This requires using separate admin accounts: on-premises admin accounts in unsynchronized OUs, and Entra ID admin accounts that are cloud-only. The two admin account sets should have no overlap.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Harden the Entra Connect Service Account
The Active Directory Connector Account (ADCA) used by Entra Connect is a high-privilege account -- it has the right to reset passwords, read directory data, and depending on configuration, write back group membership changes. Harden it: limit ADCA permissions to the minimum necessary OUs only (not domain-wide). If writeback is only needed for the corporate user OU, grant the ADCA Reset Password permission on that specific OU, not at the domain root. Verify current permissions: Get-ADUser -Identity 'MSOL_accountname' -Properties DistinguishedName | Get-ACL (this approach requires ADSI or the AD module ACL commands). The ADCA should NOT be a member of Domain Admins -- check this immediately. Protect the Entra Connect server and the ADCA credential: treat the Entra Connect server as a Tier 0 asset (same protection level as a DC). Restrict interactive logon to it, require PAW access, monitor all logon events, and add it to your privileged access monitoring. Rotate the ADCA password after any security incident affecting the Entra Connect server or the Entra ID tenant.
Restrict SSPR Writeback Scope
In the Entra admin center, configure which accounts are in scope for SSPR with writeback. Go to Protection > Password reset > On-premises integration. The 'Write back passwords to your on-premises directory' toggle controls whether writeback is active. Verify the scoped OUs: Entra Connect scoping is configured via the Entra Connect wizard under Optional Features > Password writeback. Only OUs explicitly included in the Entra Connect synchronization scope can have writeback applied. Perform an OU scope review: enumerate all OUs in the Entra Connect sync scope, verify none are Tier 0 admin OUs. If Tier 0 accounts are currently being synchronized, plan a migration: create dedicated cloud-only admin accounts for Entra ID admin tasks, migrate Entra ID admin rights to the cloud-only accounts, then remove the Tier 0 on-premises accounts from the sync scope. This migration may take weeks but eliminates the highest-risk writeback scenario.
Monitor for Unauthorized Password Resets via Writeback
Every password reset via writeback generates: Entra ID Audit Log event (Password Reset via Admin or SSPR), on-premises AD Event ID 4723 (user changed their own password) or 4724 (admin reset the password), and Entra Connect operational log entries. Forward all three sources to your SIEM. Alert on: admin-initiated password resets for Tier 1 or Tier 2 accounts outside of business hours (may indicate compromised admin account), high volume of password resets by a single Entra admin in a short time window (bulk reset attack), password resets for accounts in high-privilege on-premises groups (even if those groups are below Tier 0), and failed writeback attempts (Entra Connect event log error 6329 or 33001 -- these indicate write permission issues that may indicate someone changed the ADCA permissions).
The bottom line
Password writeback is a significant security control point in hybrid Active Directory environments because it creates a cloud-to-on-premises password reset path. The primary hardening actions are: exclude all Tier 0 on-premises accounts from Entra Connect sync scope (eliminating the highest-risk writeback target), treat the Entra Connect server as a Tier 0 asset, verify the ADCA has minimum necessary permissions and is not in Domain Admins, and monitor for unusual password reset patterns in both Entra audit logs and on-premises Event ID 4724. These actions reduce writeback risk from critical to manageable.
Frequently asked questions
Is password writeback required for SSPR to work?
SSPR without writeback works only for cloud-only accounts -- users whose password exists only in Entra ID with no on-premises AD account. For hybrid users (accounts synchronized from on-premises AD), writeback is required for SSPR to be effective. Without writeback, a hybrid user who resets via SSPR will have their Entra ID cloud password changed, but their on-premises AD password remains the old value. The next time the user authenticates to an on-premises resource (file server, VPN, domain login), the old password is required. Writeback keeps both passwords in sync.
Can a Password Administrator in Entra ID trigger writeback for Global Admin accounts?
No, Entra ID's administrative tiering prevents lower-privilege admins from resetting higher-privilege accounts' passwords. A Password Administrator cannot reset a Global Administrator's password in Entra ID. A User Administrator can reset most user passwords but not Global Admins. An Authentication Administrator can reset passwords for non-admin users. However, if a Global Admin's account is cloud-synchronized from on-premises AD (which it should not be), and a Global Admin initiates the reset themselves, writeback would apply. This is why Tier 0 accounts should never be synchronized.
What is the difference between Entra Connect and Entra Cloud Sync for password writeback?
Both support password writeback, but the architecture differs. Entra Connect is an agent installed on a server in the on-premises AD environment, managing synchronization in a pull-based model. Entra Cloud Sync uses a lightweight provisioning agent with more of the sync logic in the cloud. For security, both require protecting the on-premises agent server as a Tier 0 asset. Entra Cloud Sync supports passwordWriteback as a preview feature as of 2024/2025 and may have more limited scope control compared to the mature Entra Connect implementation. Check the Microsoft documentation for the current feature parity before migrating from Entra Connect to Cloud Sync if you rely on writeback.
How do I check which OUs are currently in Entra Connect sync scope?
Open the Entra Connect wizard on the Entra Connect server, navigate to Configure > Customize synchronization options > Connect your directories > configure your directory. The Domain and OU Filtering step shows which OUs are included in or excluded from sync. Alternatively, use the Synchronization Rules Editor (installed with Entra Connect) to review inbound sync rules and their scoping filters. For a scripted check: Get-ADSyncConnector | Where-Object {$_.ConnectorTypeName -eq 'AD'} | Select-Object -ExpandProperty Partitions | Select-Object -ExpandProperty ObjectInclusions shows the scoped containers.
What happens to a user's Entra ID account if the on-premises AD account is deleted while password writeback is enabled?
If an on-premises AD account that is synchronized to Entra ID is deleted, Entra Connect's sync process marks the corresponding Entra ID user as soft-deleted (moved to the Entra ID recycle bin) within the next sync cycle (default 30 minutes). The account is retained in the recycle bin for 30 days and can be recovered. After 30 days it is permanently deleted. Password writeback is not triggered by account deletion -- it only processes password reset events for active synchronized accounts. If the deletion was accidental, recover the on-premises AD account quickly: the next sync cycle will restore the Entra ID account and re-enable it, including password writeback functionality.
How do you audit password writeback activity to detect unauthorized or suspicious password resets?
Password writeback activity is logged in two places. In Entra ID, the Audit Logs (category: SelfServicePasswordManagement, activity: Reset password (self-service) or Reset user password by administrator) record every password reset initiated from the cloud side with the initiating actor, target user, and timestamp. In Entra Connect's server event log, Application log entries from the source 'PasswordResetService' record the writeback operation result including the target account's distinguished name. High-priority monitoring scenarios: password resets initiated on Tier 0 accounts (Global Admins, Domain Admin-equivalent accounts) through SSPR should never happen -- if they appear in audit logs, it indicates either a misconfiguration (Tier 0 accounts should be excluded from SSPR scope) or an active incident. Password resets on accounts by administrators (admin reset, not self-service) that occur outside business hours or from unusual locations should be alerted. In Microsoft Sentinel, create a hunting query on AuditLogs where OperationName == 'Reset password (self-service)' and join to the risky user table to prioritize resets by Identity Protection risk score.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
