Merge pull request #175610 from billmath/write2

v-lmcdonald · web-flow · commit ae1d09d344ff · 2021-11-02T11:04:14.000-07:00
adding new info
diff --git a/articles/active-directory/cloud-sync/how-to-install.md b/articles/active-directory/cloud-sync/how-to-install.md
@@ -100,6 +100,18 @@ To verify that the agent is running:
 >[!IMPORTANT]
 >The agent has been installed, but it must be configured and enabled before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
 
+### Enable password writeback in Azure AD Connect cloud sync 
+
+To use password writeback and enable the SSPR service to detect the cloud sync agent , you need to use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and tenant’s global administrator credentials: 
+
+  ```   
+   Import-Module "C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll" 
+   Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
+  ```
+
+For more information on using password writeback with Azure AD Connect cloud sync, see.
+
+
 ## Next steps 
 
 - [What is provisioning?](what-is-provisioning.md)
diff --git a/articles/active-directory/cloud-sync/how-to-troubleshoot.md b/articles/active-directory/cloud-sync/how-to-troubleshoot.md
@@ -4,7 +4,7 @@ description: This article describes how to troubleshoot problems that might aris
 author: billmath
 ms.author: billmath
 manager: daveba
-ms.date: 01/19/2021
+ms.date: 10/13/2021
 ms.topic: how-to
 ms.prod: windows-server-threshold
 ms.technology: identity-adfs
@@ -22,6 +22,7 @@ Cloud sync touches many different things and has many different dependencies. Th
 |[Agent problems](#agent-problems)|Verify that the agent was installed correctly and that it communicates with Azure Active Directory (Azure AD).|
 |[Object synchronization problems](#object-synchronization-problems)|Use provisioning logs to troubleshoot object synchronization problems.|
 |[Provisioning quarantined problems](#provisioning-quarantined-problems)|Understand provisioning quarantine problems and how to fix them.|
+|[Password writeback](#password-writeback)|Understand common password writeback issues and how to fix them.|
 
 
 ## Agent problems
@@ -227,6 +228,19 @@ If you need to repair the cloud sync service account you can use the `Repair-AAD
 
    5. Once this completes it should say that the account was repaired successfully.
 
+## Password writeback
+The following information is important to keep in mind with regard to enabling and using password writeback with cloud sync.
+
+- If you need to update the [gMSA permissions](how-to-gmsa-cmdlets.md#using-set-aadcloudsyncpermissions), it may take up to an hour or more for these permissions to replicate to all the objects in your directory. If you don't assign these permissions, writeback may appear to be configured correctly, but users may encounter errors when they update their on-premises passwords from the cloud. Permissions must be applied to “This object and all descendant objects” for **Unexpire Password** to appear. 
+- If passwords for some user accounts aren't written back to the on-premises directory, make sure that inheritance isn't disabled for the account in the on-prem AD DS environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly. 
+- Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. If you are testing this feature and want to reset passwords for users more than once per day, the group policy for Minimum password age must be set to 0. This setting can be found under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies** within **gpmc.msc**. 
+     - If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command. 
+     - For passwords to be changed immediately, Minimum password age must be set to 0. However, if users adhere to the on-premises policies, and the Minimum password age is set to a value greater than zero, password writeback will not work after the on-premises policies are evaluated. 
+
+
+
+
+
 ## Next steps 
 
 - [Known limitations](how-to-prerequisites.md#known-limitations)
diff --git a/articles/active-directory/cloud-sync/what-is-cloud-sync.md b/articles/active-directory/cloud-sync/what-is-cloud-sync.md
@@ -63,7 +63,9 @@ The following table provides a comparison between Azure AD Connect and Azure AD
 | Allow minimal set of attributes to be synchronized (MinSync) |● |● |
 | Allow removing attributes from flowing from AD to Azure AD |● |● |
 | Allow advanced customization for attribute flows |● | |
-| Support for writeback (passwords, devices, groups) |● | |
+| Support for password writeback |● |● |
+| Support for device writeback|● | |
+| Support for group writeback|● | |
 | Azure AD Domain Services support|● | |
 | [Exchange hybrid writeback](../hybrid/reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) |● | |
 | Unlimited number of objects per AD domain |● | |
