Azure AD Synchronized Users with Password Sync are unable to change password

If you have recently started to here reports of users not being able to change there Azure AD / Office 365 Passwords then you may want to continue reading;


If an administrator set a user to Force change password at next logon i.e. when they reset a user passwords it allowed password synchornized users to change their cloud password and that updated password would not sync back to on-premises.  This in turn caused major issues for customers who relied on password synchronization to keep passwords in sync, because it effectively allowed users to set two different passwords in two different locations.

Users that are synchronized to Azure Active Directory are unable toChange‘ or ‘Update’ password when ‘Password Sync’ is enabled and “Password Writeback” has not been enabled or configured will now receive an error message like:

“Your Organization does not allow you to change your password on this site. Please change your password according to the method recommended by your organization, or ask your admin if you need help”

This is because we recently made a change to only allow users that are synchronized to Azure AD and are using password sync to change their passwords if the Password Writeback feature is available. If a customer wants to update password sync’d user passwords from the cloud, he or she must use the Password Writeback feature.

Company Administrators should review the following documentation for Password Writeback Pre-Requisites It is also important to ensure that you have purchased an Azure AD Premium Subscription and the users have been assigned an Azure AD Premium License.

Any customer who does not want password writeback, but wants users to be able to manage their own passwords, should convert those user accounts to managed user accounts such that they are no longer synchronized from on-premises.

If you have any questions please be sure to let me know,


Microsoft Azure B2B – Visual Studio Online

I am sure that you have heard that the Azure Active Directory Team have been hard at work and recently placed Azure AD Business to Business (B2B) in to public preview, which enables organizations to share applications & services that they currently use with external business guest / partners etc. and obtain your feedback prior to us placing this feature in to General Availability.

A common scenario in the developer world is where organizations connect Visual Studio Online with a Corporate Azure Active Directory, up until this feature release administrators have always had to manage Azure AD accounts for partners/business guests or have had to result in using Microsoft Accounts (Consumer Identities) which has always been frowned up on and for good reason to be honest, as consumer accounts should be avoided in the world of Business & Enterprise!

More Information about Azure B2B can be found here:

In this article the aim is to show you how to configure Visual Studio Online to use Azure AD accounts that are created as part of you Inviting Partners / Business Guests in to your Azure AD. If you want to read further information about the feature as a whole, please refer to the link above.

Unfortunately it is early days at this moment in time, and so this particular deployment does require a bit of a 2 step process to get your external users using Visual Studio Online.

Obtain ApplicationID for Visual Studio Online {Login to AAD Connected to VSO}


Create Invite CSV


Sample CSV file

Here is a sample CSV you can modify for your purposes. Save it to any file name you prefer, but ensure that it has a ‘.csv’ file extension.

Email: Email address for invited user.
DisplayName: Display name for invited user (typically, first and last name).
InviteAppID:  The ID for the application to use for branding the email invite and acceptance pages.
InviteReplyURL: URL to which to direct an invited user after invite acceptance. This should be a company-specific URL (such as If this optional field is not specified, the inviting company’s Access Panel URL is generated (this URL is of the form<TenantID>).
InviteAppResources: AppIDs to which applications can assign users. AppIDs are retrievable by calling Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId
InviteGroupResources: ObjectIDs for groups to add user to. ObjectIDs are retrievable by calling Get-MsolGroup | fl DisplayName, ObjectId
InviteContactUsUrl: “Contact Us” URL to include in email invitations in case the invited user wants to contact your organization.

Invite User Accounts

  1. Login to Azure Management Portal
  2. Select Active Directory > Choose Directory that is linked to VSO > Users > Add
  3. Select “Users in Partners Companies” and upload CSV File that you created previously.


End User Experience

Each of the users that you sent out an invite to will get an e-mail like the following example:


Once they click on the link, they will be taken to a page like the following example: [branding is my demo branding]


NOTE: In this scenario, you would normally configure the Reply URL to send the user to the application once accepted. In this instance I would recommend you sending the users to a static landing page stating that there account will be abled in X amount of time. The reason for this is because you will have to go and add the user to the VSO Permissions once the account has been created. Unfortunately there is no ‘Sync’ Between the Invite Process & VSO Group Memberships and at the moment you can’t add AAD Groups to VSO Groups which would of course make it more streamlined.

Once the invite has been accepted, as a collection admin you shall now be able to go and add the e-mail ID that you invited in to the relevant VSO Group. Once this has been done, the user will now be able to login to VSO using their Work Account and access your VSO Collection.

Add Users to Visual Studio Online Collection Group

  1. Login to VSO Admin Portal, Click Settings Cog > Select Collection > Security > “Project Collection Administrators” > Members > Add


Once you have added the user to the VSO Group. They will be able to access the VSO Collection by either going directly to your * address.

I hope that this helps, it is just one of the examples Azure B2B is going to help organizations stay secure, compliant and improve the end-user experience!

If you have any questions let me know,


Microsoft Health and Microsoft Band comes to the U.K.

I am sure many of you out there have been waiting for the Microsoft Band to come to the UK! Today, we announced that this is now happening and will be available from April 15th through Amazon, Currys PC World, Dixons Travel, Harrods, Microsoft Store and O2.


  • Microsoft Health is an open cloud-based service that helps you live a healthier lifestyle by providing actionable insights based on data gathered from the fitness devices and apps that you use every day. It is designed to work with you, no matter what phone or service you use.  We’ve got some great partnerships including Runkeeper, MyFitnessPal, MapMyFitness, Microsoft Health Vault and in the U.K., we have an exciting partnership with Nuffield Health who are leaders in fitness and wellbeing.  Find out more
  • Microsoft Band is the first device powered by Microsoft Health. Live healthier by tracking your heart rate, calorie burn and sleep quality alongside comprehensive fitness features such as on-board GPS for run and cycle tracking.  It also includes Guided Workouts, which is like having a personal trainer on your wrist.   In addition, the Microsoft Band helps you be more productive with calendar alerts, email previews and access to Cortana with Windows Phone3.   And to make it easy to get up and running, the Microsoft Band works with the phone you already own; Windows, iOS and AndroidFind out more here.
  1. Evangelize the top pillars for Microsoft Health and Microsoft Band: 
  1. Developers should check out the SDK Preview