And yes, here's another thing I learned today.
When a new user is created in on-premises AD and it has the "User must change password at next logon" flag set it does not get synced automatically to AzureAD by default. 😲
Note the word "automatically".
Turns out you have to configure Azure ADConnect to sync it.
If you look at the default setting it this:
To Enable it, you can use the below command.
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true
To do this first connect to the MSOL service
Connect-MsolService
And then run the following:
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
When requested to enable the feature, type Yes and confirm the execution.
Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"
The flaw in the configuration has been resolved in Azure AD Connect 2.0.3.
In the previous version, when an expired password was "unexpired" by clearing the "Must change password at next logon" flag, the unexpired password was not synchronized with Azure Active Directory (Azure AD) unless the password itself was changed. This meant that users had to continue using their old expired password when signing in to Azure AD.
However, in Azure AD Connect 2.0.3 and later versions, passwords are reevaluated when an expired password is "unexpired," regardless of whether the password itself is changed. If the "Must change password at next logon" flag is cleared, indicating that the password is no longer set to change, the unexpired status and the password hash are now synced to Azure AD. This improvement allows users to use their unexpired password when signing in to Azure AD.
To benefit from this fix, it is recommended to upgrade to the latest version of Azure AD Connect if you are using an older version. It's worth noting that Azure AD Connect 2.0.3 requires Windows Server 2016 or a newer version. You can find guidance on how to upgrade Azure AD Connect to the latest version if you are currently using an older version.
In the previous version, when an expired password was "unexpired" by clearing the "Must change password at next logon" flag, the unexpired password was not synchronized with Azure Active Directory (Azure AD) unless the password itself was changed. This meant that users had to continue using their old expired password when signing in to Azure AD.
However, in Azure AD Connect 2.0.3 and later versions, passwords are reevaluated when an expired password is "unexpired," regardless of whether the password itself is changed. If the "Must change password at next logon" flag is cleared, indicating that the password is no longer set to change, the unexpired status and the password hash are now synced to Azure AD. This improvement allows users to use their unexpired password when signing in to Azure AD.
To benefit from this fix, it is recommended to upgrade to the latest version of Azure AD Connect if you are using an older version. It's worth noting that Azure AD Connect 2.0.3 requires Windows Server 2016 or a newer version. You can find guidance on how to upgrade Azure AD Connect to the latest version if you are currently using an older version.
No comments:
Post a Comment