Pages

25 May 2023

New user cannot login after creation - User must change password at next logon - Azure ADConnect

And yes, here's another thing I learned today.

When a new user is created in on-premises AD and it has the "User must change password at next logon" flag set it does not get synced automatically to AzureAD by default. 😲


Note the word "automatically".

Turns out you have to configure Azure ADConnect to sync it.

If you look at the default setting it this:



To Enable it, you can use the below command.
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true


After this you need to enforce the cloud password policy.

To do this first connect to the MSOL service
Connect-MsolService

And then run the following:
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

When requested to enable the feature, type Yes and confirm the execution.



NOTE if synchronized users need to have the password to never expirer (let say for service accounts for example), you will need to manually reassign the DisablePasswordExpiration value to the PasswordPolicies after enabling this feature

Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"

The flaw in the configuration has been resolved in Azure AD Connect 2.0.3.

In the previous version, when an expired password was "unexpired" by clearing the "Must change password at next logon" flag, the unexpired password was not synchronized with Azure Active Directory (Azure AD) unless the password itself was changed. This meant that users had to continue using their old expired password when signing in to Azure AD.

However, in Azure AD Connect 2.0.3 and later versions, passwords are reevaluated when an expired password is "unexpired," regardless of whether the password itself is changed. If the "Must change password at next logon" flag is cleared, indicating that the password is no longer set to change, the unexpired status and the password hash are now synced to Azure AD. This improvement allows users to use their unexpired password when signing in to Azure AD.

To benefit from this fix, it is recommended to upgrade to the latest version of Azure AD Connect if you are using an older version. It's worth noting that Azure AD Connect 2.0.3 requires Windows Server 2016 or a newer version. You can find guidance on how to upgrade Azure AD Connect to the latest version if you are currently using an older version.

No comments:

Post a Comment