7,023 questions
Any help here?
https://www.reddit.com/r/AZURE/comments/16gxx7t/ad_cloud_sync_and_forcepwdreset/
Cloud sync for AD to AZ is skipping "Change password at next logon" flag.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 9%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Leo Hernandez
0
Reputation points
Hello,
I'm currently setting up Cloud sync for AD to AZ (Microsoft Entra ID). The users have synchronized successfully, I configured SSPS (self service password reset) for all users. When I tested to reset a test user password, it works.
However, when I apply "change password at next logon" from AD, I get the following error message from Microsoft entra ID:
EntrySynchronizationSkip
Result
Skipped
Description
SyncCredentialsChangeItem 'user@domain' will be skipped. OnPremisesChangePasswordOnNextLogOnFeatureNotEnabled
SkipReason
OnPremisesChangePasswordOnNextLogOnFeatureNotEnabled
ReportableIdentifier
User@domain
I have followed every step from this website and researched other websites as well and the issue persists. https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback.
Any help would be appreciated.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,255 questions
2 answers
Sort by: Most helpful
-
Andy David - MVP 158K Reputation points MVP Volunteer Moderator2024-05-08T16:37:54.9166667+00:00 -
Leo Hernandez 0 Reputation points
2024-05-08T16:42:12.37+00:00 I currently have the Password GPO with MinimumPasswordAge as 0. I have also tried disabling and enabling SSPR.
-
Andy David - MVP 158K Reputation points MVP Volunteer Moderator
2024-05-08T19:32:17.2166667+00:00 Ok, I know this is cloud sync and not Connect sync, but I wonder if you can check this. I dont want to send you down a rabbit hole :)
use powershell and import that module and run this:
Get-ADSyncAADCompanyFeature and see if that works and shows what ForcePasswordChangeOnLogon is set to..
-
Leo Hernandez 0 Reputation points
2024-05-08T19:45:04.1033333+00:00 I have tried the command listed in the website, however when it prompts me for credentials, I enter the global administrator credentials and it errors with the following:
-
Andy David - MVP 158K Reputation points MVP Volunteer Moderator
2024-05-08T22:42:02.89+00:00 H, I was wondering if you could run this: Get-ADSyncAADCompanyFeature
not the set command. You probably dont need to specify the credential switch. I am assuming you have MFA enabled there.
-
Leo Hernandez 0 Reputation points
2024-05-09T14:51:35.76+00:00 When i run the command, it states the command is not recognized, see attachment:
-
Leo Hernandez 0 Reputation points
2024-05-09T16:51:56.1133333+00:00 I have configured AD Connect Sync before using the step provided by this website and i had it working:
https://specopssoft.com/blog/user-must-change-password-at-next-login-azure-ad/
However with AD Cloud sync its different, the commands are not the same and everything I have tried so far does not work.
Sign in to comment -
-
Andy David - MVP 158K Reputation points MVP Volunteer Moderator
2024-05-09T17:36:03.4966667+00:00 Yea understand! I just was just curious if that command would at least let you see whats set.
Are you syncing all users?
If you change the password for the user on-prem and check the option to force password change at the next logon for their account ( both steps), does it then work?
That is required with AADConnect:
-
Leo Hernandez 0 Reputation points
2024-05-09T18:12:45.68+00:00 Yes, im currently syncing all users.
I tried changing the password and checked the option "Change password at next logon", the result was: it did not allow the test user to login, it gave the following error:
If i select "forgot my password", it does allow me to change my password and it synchronizes with the on-prem AD, but if I check the "change password at next logon" from AD it does not work. I see this in Microsoft entra cloud sync when I synchronized:
-
Leo Hernandez 0 Reputation points
2024-05-09T18:20:17.5833333+00:00 Duplicate comment
Sign in to comment -