This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 45%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECO%3C/text%3E%3C/svg%3E)
When I have users forget there password and we reset their password in AD and have the "require user to change password at logon" checked, users get a message logging into their AAD joined machines stating "The sign-in method you're trying to use isn't allowed, Try a different sign-in method or contact your system administrator". Logging in with the old password works, if they know it, but if they don't they can't get in. We have to remove the requirement to change the password at logon and then the new password will work, and then they'll never change the password. Is it supposed to work like that?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
I believe you need to turn on ForcePasswordChangeOnLogOn and you need SSPR (self-service password reset) set up. See https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon and https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
Thank you @Nick Hogarth , that is exactly what I was looking for.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 12%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)
Sorry, but I want to mention that Microsoft officially documents that is not yet supported: faq
How can users change their temporary or expired password on Azure AD joined devices?
Currently, Azure AD joined devices do not force users to change password on the lock screen. So, users with temporary or expired passwords will be forced to change passwords only when they access an application (that requires an Azure AD token) after they login to Windows.
Frédéric
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 75%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
I'm shocked to see that it is not supported. We have to ask users to log into a app or website before being able to get on his device.
Forcing change of passwords is 'old school' and proven to provide little benefit... they will increment the number at the end right? If you are in the cloud you MUST have MFA enabled (and SSPR), full stop. And with that enabled, users don't need to change their password on a schedule... use Conditional Access to force password change based on risk level of user or device. Follow the Microsoft guidance, it's not like on-premises anymore: https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 64%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
I don't disagree with your sentiment Simon, but it's also unacceptable that users can sign into computers without any prompt to change their password. We can enforce a reset just fine during Autopilot & enrollment, but not after enrollment? That's ridiculous.
For context on my perspective: We are a Google Workspace K-12 district who provides Windows laptops & desktops for varying parts of curriculum in grades 6-12. Most kids will never sign into their Microsoft account until they need to sign into a shared device, and once logged on, they will have no need to access a Microsoft 365 service - they'll solely be using Chrome w/ a Google account and launching local applications. Students are just going to ignore the notification requesting that they reset their passwords.
Since SSO with Google as our primary identity isn't supported at the login screen, I'm forced to have students take out a second device just so they can go to office.com and change their credentials. Allowing students to skirt by with their default password isnt an option... these are nodes on our internal network, so I am just as worried about local security as I am about cloud security. We have been able to enforce a reset at the login screen for decades now... why not now?
I know the windows login screen is delicate, but we need some option for first time logins on an existjng AADJ device. I am desperately waiting for a fix.