Pass-thru authentication SSPR

[avrohomdu]

“Category: SC-300 – Implement and Manage User Identities

Note: This item is part of a series of questions with the same scenario but a different proposed answer. Each in the series has a unique solution that may or may not comply with the requirements specified in the scenario.

Your company manages an Active Directory forest and has synchronized it with a Microsoft Entra tenant using Microsoft Entra Connect to enable hybrid identity.

The IT team wants to allow users who change their passwords in the cloud to have those new passwords synchronized back to their on-premises accounts without using any additional premium licensing or extra features.

You are evaluating which configuration changes will allow cloud-based password resets to be synchronized to the on-premises environment.

Solution: Configure Pass-through Authentication (PTA) in Microsoft Entra Connect to handle cloud-based password authentication.

Does this configuration address the requirement?”

The answer given is “Yes”.

But the correct answer is no, because SSPR requires Entra ID P1 no matter what authentication method used
https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback#:~:text=A%20working%20Microsoft%20Entra%20tenant%20with%20at%20least%20a%20Microsoft%20Entra%20ID%20P1%20or%20trial%20license%20enabled.

[Nikee-TutorialsDojo]

Hi Avrohomdu,

Thanks for raising this and for including the documentation link—really helpful.

You’re correct that Pass-through Authentication does not handle password writeback, and enabling cloud password resets to sync back on-premises requires Password Writeback, which in turn requires a P1 license.

We’ve noted this and will update the item and its explanation to better reflect the correct behavior and requirements.

Appreciate you flagging this for us!

Regards,

Nikee @ Tutorials Dojo