I was wondering what options I have to allow remote users to sync to our AD given the following scenario where an external user is someone outside of our building/network, but has a computer that is on our domain.
We are about to have a few external users. We've been testing this, and the first external user we've tested with has discovered that when they change their AD password through webmail, it does not propogate from AD to their computer. This makes sense, as they have no means to connect to our AD server. I was wondering about standard ways to fix this problem. Here's a few that I think are possible, and I'm hoping someone can tell me which methods are possible and which aren't. Other options are obviously very welcome.
-
We have recently started using office 365 cloud services, and we're using Azure AD Connect. Is there a way for them to reach a "cloud" AD, that will allow them to reset their password on their computer, and it propagate to the whole AD environment? To be clear, I've never used the actual Azure AD portal, I've only run the password and user sync through AD Connect.
-
Is it normal to poke a hole through your firewall to allow external authentication to AD? This seems like something you definitely wouldn't want to do, but I'm a noob, and could be wrong.
-
We have a VPN, but long story short, our ISP sucks, and it's incredibly unreliable. I'd say about 1/5 of the attempts to join our VPN succeed. We're working with them, but they are very small, and have a hard time getting any requests worked out.
-
Something else? Do I have any other options?
From googling it looks like the VPN is the most common method here, but since our VPN is so awful, I was hoping number 1 would be possible.
Best Answer
Azure AD supports the feature called Password Writeback, which allows users to change or reset their passwords on the Internet, and then be synced to on-premises AD by AD Connect.
To use Password Writeback, you must make sure you complete the following prerequisites:
If you have an existing Office 365 subscription, you already have an Azure AD tenant! You can sign in to the Azure portal with your O365 account and start using Azure AD.
By the way, even you use Windows 10 with Azure AD Join feature, you still need to have Password Writeback enabled.
Also, you can use Direct Access to allow remote users to change or reset passwords.
Followings are the sections sourced from the blog below.
https://blogs.technet.microsoft.com/edgeaccessblog/2010/04/06/powerful-but-not-so-obvious-benefits-of-directaccess-manage-out-capabilities/