Share via

Office Apps Prompting for Re-authentication and MFA After On-Premises AD Password Reset

Minh Ngà 0 Reputation points
2026-05-18T03:18:55.5933333+00:00

Hi Guys

Im are seeking clarification/support regarding user re-authentication behavior following a password reset in our hybrid environment. Below are the details of our current setup and the symptom we are encountering:

Current Environment Setup:

Domain Join: Client computers are joined to an on-premises Active Directory (AD) domain.

Identity Sync: User accounts are created in the on-premises AD and synchronized to Microsoft 365 (M365) via Microsoft Entra Connect.

Licensing: Users are assigned appropriate M365 licenses to utilize Microsoft Teams, Microsoft 365 Apps for enterprise, Exchange Online, etc.

Device Management: Client devices are synchronized to Microsoft Entra ID and configured as Microsoft Entra Hybrid Joined devices.

The Issue / Symptom:

When an administrator resets a user's password in the on-premises AD, the new password synchronizes successfully to M365.

However, when the user opens any Microsoft Office application on their computer, they are prompted to sign in again. They must enter the new password and complete Multi-Factor Authentication (MFA). After doing so, the applications function normally.

This re-authentication prompt only occurs immediately after a user's password is changed.

Our Questions:

  1. Could you tell me if this is the expected behavior for Microsoft Entra Hybrid Joined devices when a password reset triggers token revocation? If Yes, please give me direct information link of Microsoft.
  2. Is there any configuration or best practice (e.g., Seamless SSO settings or Primary Refresh Token - PRT behavior tuning) to optimize this experience so users do not have to manually re-enter their credentials and MFA for Office apps after a password change?
Microsoft Security | Microsoft Entra | Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Minh Ngà 0 Reputation points
    2026-05-18T04:10:23.0466667+00:00

    User's image

    I would like to provide an important update and further details regarding our ongoing case.

    We have observed an additional specific symptom when affected users open Microsoft Word or Excel after an on-premises password reset:

    Office Activation Prompt: Instead of a standard account sign-in prompt (which usually just asks to refresh the user session), the system explicitly displays an Office Activation / Subscription Verification window.

    The prompt specifically states that the user needs to sign in to activate Office or verify their license subscription, rather than just a regular application sign-in.

    Given our previous finding that these devices are missing the Primary Refresh Token (AzureAdPrt is set to NO), it appears that the Office licensing service is unable to silently validate the user's M365 license status in the background after the password changes, thereby triggering this activation loop.

    Could you please confirm if this activation/licensing prompt is directly tied to the missing PRT issue? Please advise on the best troubleshooting steps to resolve this specific behavior.

    Was this answer helpful?

    0 comments
  2. Minh Ngà 0 Reputation points
    2026-05-18T03:24:24.89+00:00

    I provice more information of this:

    • Additional Diagnostic Finding (Missing PRT): Upon further investigation using the dsregcmd /status command on the affected client machines, we discovered that the
    • Primary Refresh Token (PRT) is missing (AzureAdPrt is set to NO), even though the device state confirms it is successfully Microsoft Entra Hybrid Joined.
    1. What are the potential root causes for Microsoft Entra Hybrid Joined devices failing to acquire a Primary Refresh Token (PRT) in our environment?
    2. Could the lack of a valid PRT on the device be the primary reason why the system forces a hard re-authentication (Password + MFA prompt) in Office apps immediately after an on-premises password reset, instead of handling it via a seamless background refresh?
    3. What logs or diagnostic steps (e.g., Entra ID Sign-in logs, Device Registration event logs) do you recommend we capture next to troubleshoot this PRT acquisition issue?

    Was this answer helpful?

    0 comments
  3. Q&A Assist
    2026-05-18T03:19:10.21+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Yes, this behavior is expected.

    In a hybrid environment with Microsoft Entra hybrid-joined devices, when a user’s password is changed or reset, existing sessions and tokens are affected and reauthentication is required. For Office clients, the default behavior is a rolling 90‑day session, but that session is interrupted when the password is reset or the session becomes invalid, which forces the user to sign in again and complete MFA.

    The session behavior is described here: when no special session lifetime settings are configured, Office clients use a rolling 90‑day period, and “if the user resets the password … the user must reauthenticate with the required first and second factors.” This aligns with what is being observed after an on‑premises password reset that synchronizes to Microsoft Entra ID.

    “With this default Office configuration, if the user resets the password or the session is inactive for more than 90 days, the user must reauthenticate with the required first and second factors.”

    This is the closest direct statement of expected behavior for password reset and reauthentication in Microsoft Entra.

    1. Configuration/best practices to optimize the experience

    Within the provided information, optimization options are limited to standard session and device settings; there is no supported configuration that completely avoids reauthentication after a password change.

    Relevant configuration points from the context:

    • Session lifetime and MFA prompts
      • Session lifetime policies and MFA behavior can be tuned using:
        • “Show option to remain signed in” (persistent browser cookie)
        • “Remember multifactor authentication” (e.g., 14 days)
        • Conditional Access “Sign-in frequency” for managed devices
      • However, the most restrictive policy always applies. Even with “Stay signed in” and “Remember MFA,” users must reauthenticate when the password is reset.
    • Managed (hybrid-joined) devices and PRT
      • Hybrid-joined devices receive a Primary Refresh Token (PRT) that provides SSO across applications.
      • If more frequent sign-in is required for some apps, Conditional Access sign-in frequency can be used. Conversely, not configuring aggressive sign-in frequency policies helps reduce prompts, but password reset still forces reauthentication.

    From the context, the practical best practices are:

    • Use Microsoft Entra hybrid join so devices get a PRT for SSO (already in place in this environment).
    • Avoid overly strict Conditional Access sign-in frequency settings that would add extra prompts beyond those caused by password changes.
    • Use “Remember multifactor authentication” and “Stay signed in” options to reduce MFA prompts during normal operation, understanding that password changes still require reauthentication.

    There is no documented setting in the provided material that prevents Office apps from requiring reauthentication after a password reset; this is expected security behavior.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.