In doing some research I found the MSOL_* account in AD used by DirSync w/password sync needs to have more rights than the default "Domain Users" group gives it. You can either delegate the password change capability or add the account to the "Domain Admins" group in AD. Immediately after doing this I was able to change the password.
- Excellent article on how to enable: http://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
- Password write-back configuration steps: http://msdn.microsoft.com/en-us/library/azure/dn688249.aspx
- If you have the option in Azure AD Premium requiring users to register before being able to change their password, they must do so before they'll be recognized at the sign-in page (i.e. http://login.microsoftonline.com). For example, if I click on the "Can't access your account" link I'll be taken to https://passwordreset.microsoftonline.com asking for my username and character verification. You will not get past this step if you or your user's haven't registered for the service.
- Additionally, you must grant your Office 365 admin account an Azure AD Premium license in order to enable password reset feature(s).
- Lastly, it is advised to enter a telephone number on the "General" tab of the on-prem AD user so that the password reset contact method has at least one verification option.