I believe you need to turn on ForcePasswordChangeOnLogOn and you need SSPR (self-service password reset) set up. See https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon and https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
When a user password is reset and require user to change password at logon is select, the user cannot sign into AAD joined devices with the new password
When I have users forget there password and we reset their password in AD and have the "require user to change password at logon" checked, users get a message logging into their AAD joined machines stating "The sign-in method you're trying to use isn't allowed, Try a different sign-in method or contact your system administrator". Logging in with the old password works, if they know it, but if they don't they can't get in. We have to remove the requirement to change the password at logon and then the new password will work, and then they'll never change the password. Is it supposed to work like that?
5 additional answers
Sort by: Most helpful
-
Craig Owings 21 Reputation points
2021-04-05T22:56:06.033+00:00 Thank you @Nick Hogarth , that is exactly what I was looking for.
-
Frédéric de Vinck 1 Reputation point
2021-10-06T15:44:44.667+00:00 Sorry, but I want to mention that Microsoft officially documents that is not yet supported: faq
How can users change their temporary or expired password on Azure AD joined devices?
Currently, Azure AD joined devices do not force users to change password on the lock screen. So, users with temporary or expired passwords will be forced to change passwords only when they access an application (that requires an Azure AD token) after they login to Windows.Frédéric
-
Jean-Francois Dupras 1 Reputation point
2021-11-11T04:23:09.17+00:00 I'm shocked to see that it is not supported. We have to ask users to log into a app or website before being able to get on his device.
-
Simon Burbery 556 Reputation points
2022-04-07T15:01:46.603+00:00 Forcing change of passwords is 'old school' and proven to provide little benefit... they will increment the number at the end right? If you are in the cloud you MUST have MFA enabled (and SSPR), full stop. And with that enabled, users don't need to change their password on a schedule... use Conditional Access to force password change based on risk level of user or device. Follow the Microsoft guidance, it's not like on-premises anymore: https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide