AAD Connect synchronization of pwdLastSet

Antonello Ledda Admin 1 Reputation point
2021-11-11T07:25:51.393+00:00

Hello

We have an hybrid environment , AD on prem synchronized by AAD Connect to Azure AD using password hash sync , and we want to get the on prem AD attribute pwdLAstSet synchronized with the corresponding one lastPasswordChangeTimestamp on Azure AD .

Is it possible to achieve this simply changing to the current system time the attribute "pwdLastSet" , by assigning "0" and in turn "-1" to it , as explained in the page ? :

https://social.technet.microsoft.com/Forums/en-US/6622c897-c460-41ce-a237-a6eabff3ca12/why-cant-i-se...

I tried but actually the attribute isn't synchronized , it gets aligned only If I really make a password reset on prem but I'd rather avoid on prem users change their passwords .

Thanks a lot.

Regards

Antonello

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2021-11-12T19:24:55.887+00:00

    Hi @Antonello Ledda Admin ,

    If your goal is to just make sure those values are synchronized, my understanding is that if you have password writeback enabled, the pwdlastset and LastPasswordChangeTimestamp should update accordingly (maybe a few minutes off at most).

    See: Concept SSPR Writeback
    Password Expiration With AAD Connect

    I haven't tried the manual script that you described, but doing that should just reset the password expiration and move the Last Reset Date.