password expiration

Question

I am attempting to roll out the SSPR feature (using AAD Connect) in our environment. Password writeback works (as in the user can initiate a password change from Office 365 by clicking Settings > Reset Password).

However, newly created users that have "User must change password at next sign on" checked in AD, receive "Your password has expired. Type your updated password and try again" instead of being prompted to change the password when signing into 365.

I have set the following permissions for the AAD Connect account in the root OU of our domain:

Reset Password
Write Permissions on lockouttime
Write Permissions on pwdLastSet
Extended rights for "Unexpire password"

In addition to this, I have updated to the latest version of AAD Connect and disabled/enabled the writeback feature.

I did notice that the "Unexpire password" permission does not seem to inherit on the child OUs. Is there something else I am missing?

Answer 1

Hi Brady,
Thanks for posting.

To support "next logon password change" passwords in Azure AD for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature, by running the following command on your Azure AD Connect server:

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

Full details given here. Read and let us know for any clarifications.
Section (Synchronizing temporary passwords and "Force Password Change on Next Logon")
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

Read more about Unsupported writeback operations in the last section:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback