Unexpire Password not working for password writeback

Solid Snake 1 Reputation point


I am attempting to roll out the SSPR feature (using AAD Connect) in our environment. Password writeback works (as in the user can initiate a password change from Office 365 by clicking Settings > Reset Password).

However, newly created users that have "User must change password at next sign on" checked in AD, receive "Your password has expired. Type your updated password and try again" instead of being prompted to change the password when signing into 365.

I have set the following permissions for the AAD Connect account in the root OU of our domain:

Reset Password
Write Permissions on lockouttime
Write Permissions on pwdLastSet
Extended rights for "Unexpire password"

In addition to this, I have updated to the latest version of AAD Connect and disabled/enabled the writeback feature.

I did notice that the "Unexpire password" permission does not seem to inherit on the child OUs. Is there something else I am missing?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,216 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 22,891 Reputation points Microsoft Employee

    Hi @Solid Snake , the product team got back to me. AD connect does not support that flag out of the box, you need to enable it before it can get through SSPR+writeback. Implement password hash synchronization with Azure AD Connect sync | Microsoft Learn. Please let me know if this works or if you have any questions!

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,

    0 comments No comments