34 C
Thursday, May 23, 2024

Synchronizing User must change password at next logon flag to Azure AD

Azure AD Connect does not synchronize the “User must change password at next logon” attribute from your on-premise Active Directory by default forcing users to update their new passwords through Azure Active Directory.

To enable this your directory you have some basic requirements of enabling Password Writeback in your Azure AD Connect Settings. which allows your news password set on Azure AD to sync back to your on-premises Active Directory. As you know enabling Self Service Password Reset (SSPR) will allow the user to reset the password on their own.

On the Azure AD Connect Server, Open PowerShell and run Get-ADSyncAADCompanyFeature to check if the ForcePasswordChangeOnLogOn has been set.

Get-ADSyncAADCompanyFeature | fl

To Enable it, you can use the below command.

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

There was a flaw in this configuration which is fixed from Azure AD Connect 2.03

“Passwords will now be reevaluated when an expired password is “unexpired”, regardless of whether the password itself is changed. If for a user the password is set to “Must change password at next logon”, and this flag is cleared (thus “unexpiring” the password) then the “unexpired” status and the password hash are synced to Azure AD, and when the user attempts to sign in in Azure AD they can use the unexpired password.”

As you see if you set this flag (change password at next logon ) and un-set this flag. The unexpired password will not be synced to Azure Active Directory before. which is not the case from Azure AD Connect 2.0.3. When you uncheck, the same password is synced and retained in Azure Active Directory. As you know Azure AD Connect 2.0.3 requires Windows Server 2016 or above.
you can follow Upgrading Azure AD Connect to the latest version if you are running an older version.

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles


Please enter your comment!
Please enter your name here

× How can I help you?