question

CraigOwings-3986 avatar image
0 Votes"
CraigOwings-3986 asked sikumars commented

When a user password is reset and require user to change password at logon is select, the user cannot sign into AAD joined devices with the new password

When I have users forget there password and we reset their password in AD and have the "require user to change password at logon" checked, users get a message logging into their AAD joined machines stating "The sign-in method you're trying to use isn't allowed, Try a different sign-in method or contact your system administrator". Logging in with the old password works, if they know it, but if they don't they can't get in. We have to remove the requirement to change the password at logon and then the new password will work, and then they'll never change the password. Is it supposed to work like that?

azure-active-directorywindows-10-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you set other policies like enforcing them to use complex password?

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered sikumars commented

Hello @CraigOwings-3986,

Thanks for reaching out and apologize for delayed response.

It is typical to force a user to change their password during their first logon, especially after an admin password reset occurs. It is commonly known as setting a "temporary" password and is completed by checking the "User must change password at next logon" flag on a user object in Active Directory (AD).

The temporary password functionality helps to ensure that the transfer of ownership of the credential is completed on first use, to minimize the duration of time in which more than one individual has knowledge of that credential.

To support temporary passwords in Azure AD for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature, by running the following command on your Azure AD Connect server:

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

Note: You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.

For more information read: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @CraigOwings-3986,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

0 Votes 0 ·