Share via

Password change request on next logon isn't request on M365 login, just on-premise AD accounts despite sync

Federico Coppola 125 Reputation points
2024-06-22T16:36:15.02+00:00

Hello folks,
I shortly resume my scenario:

  • I am running a Windows Server 2022 Domain Controller on-premise
  • I deployed Microsoft Entra Connect on this Win Server 2022 DC to sync on-premise AD accounts with Microsoft 365 accounts, enabling password hash synchronization.

Sync between on-premise domain controller and M365/Azure AD is working properly.

The company policy is to change passwords every 45 days, this is defined via GPO domains.
I need to permit password change from Microsoft 365 too.
I already enable Password Writeback, but it is not working.

For example:

I edited a domain account syncronized with M365, so I ticked option "Password change on next log-on".
I waited more than 30-minutes but Microsoft 365 web login didn't request me any password change.

It is also important that a password change, if 45 days have passed, is also possible via M365.
What did I do wrong?

Thanks for your help!

Microsoft Security | Intune | Security
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments
Accepted answer
  1. Abiola Akinbade 29,490 Reputation points Volunteer Moderator
    2024-06-22T18:27:15.06+00:00

    Hello Federico Coppola,

    Thanks for your question.

    By default temporary passwords are not synchronized to Entra ID.

    To support temporary passwords in Microsoft Entra ID for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature. See:

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

    If a user was created in Active Directory with "User must change password at next logon" before the feature was enabled, the user will receive an error while signing in. To remediate this issue, un-check and re-check the field "User must change password at next logon" in Active Directory Users and Computers. After synchronizing the user object changes, the user will receive the expected prompt in Microsoft Entra ID to update their password.

    You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.

    The above are excerpts from the doc above.

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Federico Coppola 125 Reputation points
    2024-06-24T08:13:23.42+00:00

    Hello,
    I really apprecciate your support!
    Is Microsoft Business license necessary for every user?
    Right now we are using Microsoft 365 Standard license, so I cannot activate "Password Writeback policy".

    Thanks a lot
    Federico

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.