This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello.
I am attempting to roll out the SSPR feature (using AAD Connect) in our environment. Password writeback works (as in the user can initiate a password change from Office 365 by clicking Settings > Reset Password).
However, newly created users that have "User must change password at next sign on" checked in AD, receive "Your password has expired. Type your updated password and try again" instead of being prompted to change the password when signing into 365.
I have set the following permissions for the AAD Connect account in the root OU of our domain:
Reset Password
Write Permissions on lockouttime
Write Permissions on pwdLastSet
Extended rights for "Unexpire password"
In addition to this, I have updated to the latest version of AAD Connect and disabled/enabled the writeback feature.
I did notice that the "Unexpire password" permission does not seem to inherit on the child OUs. Is there something else I am missing?
Hi, we are investigating your issue and will update you shortly.
Best,
James
Hi @Solid Snake , so sorry for the delay in response. I'll expedite this for you. What happens if the user updates their password? Does it still send the same message? We may have to open a support ticket for you in this case. Also, what documents are you following for this? I'll try to reproduce the bug.
Best,
James
Sorry for the late response.
If the user logs in and initiates the password change themselves, they are able to change the password and it successfully writes back to on prem AD.
If the "User Must Change Password at next logon" box is checked in AD, the user is unable to login and receives the error message.
I have followed these documents:
Microsoft Documentation:
Non-Microsoft:
1https://blog.naglis.no/?p=3923
Hi @Solid Snake , I've reached out to the product team and should hear back soon!
Best,
James
Hi @Solid Snake , the product team got back to me. AD connect does not support that flag out of the box, you need to enable it before it can get through SSPR+writeback. Implement password hash synchronization with Azure AD Connect sync | Microsoft Learn. Please let me know if this works or if you have any questions!
If this answer helped you please mark it as "Verified" so other users may reference it.
Thank you,
James