question

MrBurns-3843 avatar image
0 Votes"
MrBurns-3843 asked SimonRenMSFT-3639 edited

Azure AD Membership Group changing group from assigned to dynamic

Hi,

I'm pretty new to AD management and am handling the migration of around 100 macOS devices to a new policy. Instead of editing the original device policy (to avoid disruption), I created a new device policy and manually moved over all existing devices to the new policy. This made each user change their password and was implemented this way to cause the least amount of disruption as possible. I now have an issue however, I need to make this policy a dynamic device policy and am wondering whether changing this policy type will in any way cause each user to have to reset their password for example / cause any other disruption. I am unable to find any information on this online but may have missed something, so apologies in advance if this question has been asked previously.

Thanks so much in advance for any help provided.







azure-active-directorymem-intune-generalmem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SimonRenMSFT-3639 avatar image
1 Vote"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 edited

Hi,

Thanks for posting in Microsoft Q&A forum.

1,==>I need to make this policy a dynamic device policy and am wondering whether changing this policy type will in any way cause each user to have to reset their password for example / cause any other disruption.
Do you mean to change your assigned group that contains around 100 macOS devices to dynamic group? If yes, after changing the group type, the existing membership may change based on dynamic membership rule we provide. However, per my experience. if one macOS device is already existed in the assigned group before change and continues to exist in the dynamic group afther change, the reset password policy will not re-run on the device and will not cause any other disruption.

2,May we know which device policy you are using to reset the password for macOS device? Is it device compliance policy for macOS\System security\Password policy?

If I have misunderstood anything, please feel free to let me know. Thanks for your time.

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your response. Yes this is what I'm on about - It seems whenever I make any change to the MacOS device policy (compliance policy) on MS Endpoint it pushes through a password change for everyone to be in compliance. This is massively disruptive as it forces over 100 people to change their password.

Thanks

0 Votes 0 ·

Hi,

Thanks for your information.

For this strange issue, I have done a lot of research. It seems a known issue. From the official article for Windows 10/11: Device Compliance settings for Windows 10/11 in Intune

146527-password.png

The password compliance policy workflow may be this (I'm not very sure):
With the password setting there is no way for us to read a user's password to see if it's meeting the length/complexity/etc requirements, so a password change is required. The user will be prompted to set a password that meets these requirements even though the passowrd is already met the requirements. At that point any password change will need to meet these requirements.

Similar threads from other customers:
MacOS forcing users to reset password after Compliance Policy changes
Password requirements - Configuration vs Compliance
Please note: The links are not from Microsoft, just for your reference.

At such situation, I will summarize this and try to deliver it to product team, but not guaranteed. Once there is any feedback, I will get back to you at the first time. Thank you for your kind understanding.

Best regards,
Simon


0 Votes 0 ·
password.png (12.8 KiB)
password.png (11.7 KiB)