Share via

On-prem sync users not forced to change password when "Force change password next sign-in" property is set to yes.

Bret Osment 0 Reputation points
2025-03-21T13:21:38.0566667+00:00

I've been performing some testing with scripts that will force users to reset their passwords. To test this, I have created a cloud only account named ******@contoso.com and ran the following script:

Import-Module Microsoft.Graph.Users

Connect-MgGraph -Scopes "User.ReadWrite.All"

Update-MgUser -UserId ******@contoso.com -PasswordProfile @{ ForceChangePasswordNextSignIn = $true }

Revoke-MgUserSignInSession -UserId ******@contoso.com

This worked perfectly; however, all of our user accounts are On-Prem synced to cloud. So, I created a ******@contoso.com account in our AD instance and let it sync to Entra. I then ran the command again and it did set the "Force change password next sign-in" to Yes when checking the properties of the account in Entra, but when signing into the account, it is not requiring a password change.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator
    2025-03-24T20:35:01.2366667+00:00

    Hello Bret Osment,

    Thank you for posting your query on Microsoft Q&A.

    As per the description, we understand that you are not able to force password change for only synced (on-prem) users. Even though it is showing "Force change password next sign-in" to Yes, it is not asking users to change their password while signing-in.

    This issue occurs if we don't enable password-writeback option in Entra ID Connect while configuring sync.

    To enable password writeback in Entra ID, sign in to the Microsoft Entra-ID, go to Protection > Password reset, choose On-premises integration, check "Write back passwords to your on-premises directory", and optionally, check "Write back passwords with Microsoft Entra Connect cloud sync" if provisioning agents are detected

    The on-premises writeback feature requires Microsoft Entra ID P1, Premium P2, or Microsoft 365 Business Premium.

    password writeback

    Enable password write back for synced users :

    By enabling this setting, you can write back passwords using Microsoft Entra ID for your synced users from on-premises directories.

    Write back passwords with Microsoft Entra Connect cloud sync :

    This setting is only enabled when 'Enable password write back for synced users' is also enabled. This setting allows you to write back passwords to domains where Microsoft Entra Connect provisioning agents (cloud sync) are setup. This is enabled by default when password writeback is enabled for synced users and a provisioning agent is detected. Disable this setting if you no longer want to use Microsoft Entra cloud sync.

    Allow users to unlock accounts without resetting their password :

    Designates whether or not users who visit the password reset portal should be given the option to unlock their on-premises Active Directory accounts without resetting their password. By default, Microsoft Entra ID will always unlock accounts when performing a password reset, this setting allows you to separate those two operations. If this setting is checked, then users will be given the option to reset their password and unlock the account, or to unlock without resetting the password. If unchecked, then users will only be able to perform a combined password reset and account unlock operation.

    On-Premises

    On your Domain Controller, you have to enable reset password option to enable users to change their respective passwords.

    To set up the appropriate permissions for password writeback to occur, complete the following steps:

    In your on-premises AD DS environment, open Active Directory Users and Computers with an account that has the appropriate domain administrator permissions.

    From the View menu, make sure that Advanced features are turned on.

    1. In the left panel, right-select the object that represents the root of the domain and select Properties > Security > Advanced.
    2. From the Permissions tab, select Add.
    3. For Principal, select the account that permissions should be applied to (the account used by Microsoft Entra Connect).
    4. In the Applies to drop-down list, select Descendant User objects.
    5. Under Permissions, select the box for the following option:
    6. Reset password

    set-ad-ds-permissions

    Once you have enabled password write-back on Entra-ID portal and reset password option on your Domain Controller, users should be able to reset their passwords. Please let us know still if you have any issues.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.