Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Playbook Reset-AADUserPassword - Password does not sync to On-prem AD #10920

Open
curiousbwoy opened this issue Aug 3, 2024 · 27 comments
Open
Assignees
Labels
Playbook Playbook specialty review needed

Comments

@curiousbwoy
Copy link

Path: Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword

I have deployed this solution Reset-AADUserPassword through Sentinel alert trigger

The playbook runs sucessfully. However, it resets the password for my test account at Azure cloud and the same password is not getting synced to my on-prem ad, please can you let us know what is the issue here password policy does match with organization requirements

Output status code: 204

@curiousbwoy
Copy link
Author

password sync

@v-sudkharat v-sudkharat added the Playbook Playbook specialty review needed label Aug 5, 2024
@v-sudkharat
Copy link
Contributor

Hi @curiousbwoy, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 16-08-2024. Thanks!

@v-sudkharat
Copy link
Contributor

Hi @curiousbwoy, Could you check for the required rolls and permission for your account which mentioned into the below readme file:
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Reset-AADUserPassword/readme.md

Thanks!

@curiousbwoy
Copy link
Author

Hi @v-sudkharat , yes all the roles are assigned to the managed identity of the logic app
we are testing this logic app against normal users who are on-premise synced with password administrator role assigned to Managed identity of logic app

we performed it for 2 users

user 1 - Azure AD user not synced to on-prem AD:- Logic app runs successfully temporary password is assigned and once this temporary password is utilized by user it asks for user to create new password due to "forceChangePasswordNextSignIn: true"

user2 - Azure AD user synced to on-prem AD:- logic app runs successfully as shown in above image but the password is not accepted when user tries to signin it says incorrect password

@v-sudkharat
Copy link
Contributor

@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks!

@piExpr
Copy link

piExpr commented Sep 13, 2024

Authorize Office 365 Outlook connection - is authorization done via API connection or should there be dedicated area to authorize?

@piExpr
Copy link

piExpr commented Sep 13, 2024

@curiousbwoy how did it go? Similar use case but its delayed i suspect while MDI remediation is immediate.

@curiousbwoy
Copy link
Author

Authorize Office 365 Outlook connection - is authorization done via API connection or should there be dedicated area to authorize?

@piExpr please can you highlight which connection needs to be authorized
the issue we are facing is the temporary password generated by logic app is not getting synced to on-prem AD
though we have Password writeback feature enabled

@curiousbwoy
Copy link
Author

@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks!

@v-sudkharat please let us know if were able to simulate the logic app for both scenario
Azure AD on prem sync user
Azure AD cloud only user not synced to on-prem

@v-sudkharat
Copy link
Contributor

@v-shukore
Copy link
Contributor

Hi @curiousbwoy,

Currently the api is looking for the users in the Entra ID for the Azure cloud and as which users are available those are able to update the password. But when the call is made to api for the users in on prem those users are not found in the directory which results in 204 (not found) user.

https://learn.microsoft.com/en-us/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

please check for the above documents and see if on-premises Active Directory that is synchronized to Microsoft Entra ID.

Thanks...!!

@v-shukore
Copy link
Contributor

Hi @curiousbwoy, waiting for your response on above comment. Thanks...!!

@v-shukore
Copy link
Contributor

Hi @curiousbwoy,
Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 02-10-2024 date, we will be closing this issue.
Thanks...!!

@curiousbwoy
Copy link
Author

Hi @v-shukore,

I have tried to execute the api shared and used my account to search for the attributes, but the result returned is null
I have tried using both beta as well as graph api v1.0
gitt

@v-shukore
Copy link
Contributor

@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks!

@v-shukore
Copy link
Contributor

Hi @curiousbwoy, As I can see that we are receiving a 200 OK status, but it is not able to find attributes in the directory. Please check if you have them at the source. Thanks!

@curiousbwoy
Copy link
Author

Hi @v-shukore, Thank you for the update, I have tried it on the logic app for my email address and well as other users and I was able to fetch the details

Image

please can you guide how will I able to reset the password as the issue still persists

Image

@curiousbwoy
Copy link
Author

further summarizing the temporary password generated by logic app is accepted at initial login and MFA is also accepted

However, due to flag "forceChangePasswordNextSignIn": true
I am prompted to update the password and change it before been authorized further

here ideally the current password should be the one generated by logic app, however, it is not updated to onpremise and it gives the error stating this is not your current password

Image

@v-shukore
Copy link
Contributor

Hi @curiousbwoy, we are still investigating this issue with team, will get back to you once done. Thanks...!!

@manishkumar1991
Copy link
Contributor

@curiousbwoy did you configured password writeback for those synced users from on-prem

@curiousbwoy
Copy link
Author

@curiousbwoy did you configured password writeback for those synced users from on-prem
@manishkumar1991 yes password writeback is already configured for all users across organization level in AD

@v-shukore
Copy link
Contributor

Hi @curiousbwoy, we just want to make sure that you followed the proper documentation please confirm if you have followed below documentation. Thanks!!
https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback

@v-shukore
Copy link
Contributor

Hi @curiousbwoy, please confirm you have followed above documentation. Thanks!!

@curiousbwoy
Copy link
Author

Hi @v-shukore

Please find the settings below unable to find the option - (Enable password writeback for SSPR)
Check the option for Write back passwords to your on-premises directory.

Image

@v-shukore
Copy link
Contributor

Hi @curiousbwoy, have you attempted to reset the password manually without using the playbook and confirmed if it syncs to the on-premises AD? Checked with the concerned team. It appears that this issue is not occurring for other users. Thanks!!

@curiousbwoy
Copy link
Author

Hi @v-shukore, Yes

  • We manually reset the password using the user's provided password, ensuring it meets the organization's password policy requirements.

  • We also manually reset the password using a password generated by the playbook, confirming that the playbook-generated password complies with the organization's password policy.

Both methods successfully synchronized the password with the on-premise Active Directory (AD).

@v-shukore
Copy link
Contributor

Hi @curiousbwoy,

Thanks for your response will share the update with concern teams and will get back to you.

Thanks.!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Playbook Playbook specialty review needed
Projects
None yet
Development

No branches or pull requests

6 participants