top of page
Search

(66) Azure AD Connect - Force the password change at next logon

  • Writer: Mr B SOE way
    Mr B SOE way
  • May 20, 2023
  • 2 min read

With the help "Password writeback", you are able to synchronize your user’s passwords with Azure AD Connect for quite some time now thanks to the password hash synchronization feature.


As per setup here for using "Password writeback" configured as part of Azure AD Connect.


There has been a small gap where "User must change password at next logon" attribute value synchronized to request the user to change the password when logging on search Microsoft cloud services (Office 365 and/or Azure). This impacts the course of logon process (especially for new user account) when logging on Windows 10/11 Azure AD Joined devices.


It is highly recommended to enable Self-Service Password Reset (SSPR) and password write-back to allow updated user’s password being synced back to your Active Directory.


The steps are as follow:


1. On the server where Azure AD Connect sits, run PowerShell as administrator and run the following: Get-ADSyncAADCompanyFeature


You can see that "ForcePasswordChangeOnLogon" is set to False.










2. To enable this capability, run the following:

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true













Note: Existing users within the tenant do not get the "flag" ticked.


3. Next go to Active Directory, go to "User must change password at next logon" attribute check on an existing user or new user account and get the directory synchronization completed.




















4. Navigate to https://portal.azure.com then Users then search for user. Select properties for that user account and you will see the "Password profile" attribute will have two policies where "Force change password next sign in" and "Force change password next sign in on MFA"

5. If this is a new user, user will have to setup MFA first, follow the wizard till this is done.










6. Then after MFA has been set, user will be prompted to enter current and updated passwords.

















7. Once the user has updated the password, you can now see in Azure portal that the "Password profile" attribute no longer has a policy assigned.



 
 
 

Comments

bottom of page