I was recently working with a client that had AAD Connect version 1. It was working in terms of the sync of Active Directory objects from on-premises to Azure AD. Password hash was also working.
When the client tried to enable password writeback we would see an error in the AAD connect configuration wizard:
The logs didn’t give too much away in terms of why it was failing:
[ERROR] PasswordWritebackUtility: Failed to configure password write-back (True) for connector (*********.onmicrosoft.com – AAD). Details: Server detected an exception (Error HRESULT E_FAIL has been returned from a call to a COM component.). Please consult the event log for additional information. AAD Password reset configuration may be in an invalid state. Try removing the configuration.
We looked at conditional access and the account permissions and there were no blockers there.
The event viewer showed up failures for Event ID: 31031, 31044, 31045 and 32014.
We upgraded the AAD connect from version 1 to version 2. Azure AD Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Azure AD. The upgrade was successful without any issues but again password writeback could not be enabled.
I then came across this Microsoft article: Azure AD Connect: TLS 1.2 enforcement for Azure Active Directory Connect | Microsoft Docs
In the article there are two scripts. One script to check TLS 1.2 and another script to enable TLS 1.2.
Once we ran the script to enable TLS 1.2 we could re-run the configuration and enable Password writeback.
