Hi All, There is an on-prem AD DS that is synced to Azure Entra ID. If a user's password is reset with "User must change password at next logon" checkbox enabled a temporary password is not synced. Is that by design?

Hello Cloud_Geek_82 , Thanks for your question. Yes, it is by design. By default temporary passwords are not synchronized. To support temporary passwords in Microsoft Entra ID for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature. See: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon Please let me know if you have further questions** You can mark it 'Accept Answer' if this helped.

Question about password syncing from on-prem AD to Azure Entra ID

Accepted answer

akinbade abiola 9,390 Reputation points

2024-06-01T10:18:45.2166667+00:00

Hello Cloud_Geek_82,

Thanks for your question.

Yes, it is by design. By default temporary passwords are not synchronized.

To support temporary passwords in Microsoft Entra ID for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature. See:

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

Please let me know if you have further questions**

You can mark it 'Accept Answer' if this helped.
Please sign in to rate this answer.

1 person found this answer helpful.
Cloud_Geek_82 831 Reputation points

2024-06-01T23:14:09.66+00:00

Hi @akinbade abiola

Thanks for your reply.

Can I ask what Last password sync actually shows.

On the screenshot the last password sync value is 29 minutes but the password was reset and successfully synced around a couple of minutes ago.

akinbade abiola 9,390 Reputation points

2024-06-02T11:44:06.56+00:00

Hello Cloud_Geek_82,

Thanks for the follow-up

what that page shows is here:

pls note Simply setting it doesn’t activate the process by itself. This will only synchronize future events where “user must change password at next logon” is set – it will not sync existing instances where this flag is set on user accounts.

Also, Users with the Password never expires attribute in AD won’t have the force password change flag activated in Entra ID

These are all documented here: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon in the initial link provided.

Please remember to mark 'Accept Answer' if the answer helped.
Sign in to comment

Share via

Question about password syncing from on-prem AD to Azure Entra ID

0 additional answers