Password change request on next logon isn't request on M365 login, just on-premise AD accounts despite sync

Federico Coppola 120 Reputation points
2024-06-22T16:36:15.02+00:00

Hello folks,
I shortly resume my scenario:

  • I am running a Windows Server 2022 Domain Controller on-premise
  • I deployed Microsoft Entra Connect on this Win Server 2022 DC to sync on-premise AD accounts with Microsoft 365 accounts, enabling password hash synchronization.

Sync between on-premise domain controller and M365/Azure AD is working properly.

The company policy is to change passwords every 45 days, this is defined via GPO domains.
I need to permit password change from Microsoft 365 too.
I already enable Password Writeback, but it is not working.

For example:

I edited a domain account syncronized with M365, so I ticked option "Password change on next log-on".
I waited more than 30-minutes but Microsoft 365 web login didn't request me any password change.

It is also important that a password change, if 45 days have passed, is also possible via M365.
What did I do wrong?

Thanks for your help!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,228 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,853 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
434 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,117 questions
0 comments No comments
{count} votes

Accepted answer
  1. akinbade abiola 18,305 Reputation points
    2024-06-22T18:27:15.06+00:00

    Hello Federico Coppola,

    Thanks for your question.

    By default temporary passwords are not synchronized to Entra ID.

    To support temporary passwords in Microsoft Entra ID for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature. See:

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

    If a user was created in Active Directory with "User must change password at next logon" before the feature was enabled, the user will receive an error while signing in. To remediate this issue, un-check and re-check the field "User must change password at next logon" in Active Directory Users and Computers. After synchronizing the user object changes, the user will receive the expected prompt in Microsoft Entra ID to update their password.

    You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.

    The above are excerpts from the doc above.

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola


1 additional answer

Sort by: Most helpful
  1. Federico Coppola 120 Reputation points
    2024-06-24T08:13:23.42+00:00

    Hello,
    I really apprecciate your support!
    Is Microsoft Business license necessary for every user?
    Right now we are using Microsoft 365 Standard license, so I cannot activate "Password Writeback policy".

    Thanks a lot
    Federico

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.