user password doesnt sync to O365 if 'User must change password at next logon' enabled
it is a standard practice to enabled the user to change his first time (temporary) password when user logs in first time. But if we created a new user on-premise with this flag enabled, user password doesnt sync to O365 & cannot login to O365. This is a security issue for scenarios where organizations use only cloud hosted applications with an account created on-premise. we need functionality that - O365 able to sync temp password from on-premise and force the user to change if that is never changed or first itme login. this feature works for accounts created in cloud, but not for accounts created on-premise.
Reference : https://support.microsoft.com/en-us/kb/2855271
Bart Vermeersch commented
Apparently this feature is in public preview now: https://blog.hametbenoit.info/2019/10/09/azure-ad-connect-you-can-now-synchronize-your-password-policy-and-force-the-password-change-at-next-logon-preview/
I have the same issue. The user must change the password attribute that doesn't replicate to office 365. The problem is that a temporary password doesn't replicate to office 365 as well and users can log in with their old password.
Michel Zehnder commented
I haven't found an explanation as to <why> it is like it is... What's the reason for the current behavior?
I am having the same issue that is mentiond here in the post of 14-07-2016.
1) We dont want to use the passthrogh authentiaction option neither the ADFS construction..
2) We have enabeld the password hash sync, SSSO and the write back options. SSPR is in place.
3) Everything is working fine if we dont set on the onpremise option (user must chnage password on next logon).
The security policy of our organisation is urging to use the option mentiond but the users with that option activated can not login O365 and they are getting the errors (username password not goed).
I dont like work arrounds but in this case I have to do it.
1) Add the onpremise AD account with the option (user must change passowrd at next logon)
2) Wait for the AD/AAD synch (or just enforce the synch if you want to go on).
3) in O365 admin center Change the user password (samen passowrd as in step 1).
(changing the passowrd of the same user in AAD portal generates een error (Unfortunately, you cannot reset this user's password because your on-premises policy does not allow it. Please review your on-premises policy to ensure that it is setup correctly.)
The user should now be abel to login O365 services and wil be enforced to change the default password.
Hopefully we will get a fix for this issue soon MS.
Parece un bug de la aplicacion con Office365
Cuando se cambiaba la contraseña en el directorio active como administrador no estaba sincronizando hacia Office 365.
Procedimos a revisar los roles de los administradores relacionados con este proceso.
Corrimos el asistente de instalacion nuevamente y actualizamos los conectores via powershell.
Instalamos la última versión de la herramienta de sincronización
Las contraseñas sincronozaron correctemante cuando la cambiaba el administrador del directorio activo
Pero cuando la cambia el propio usuario desde su directorio activo estas no sincronizan.
Le explicamos que nuestra recomendación es que la opción de que el usuario cambie la contraseña en el próximo inicio de sesión debe de estar desmarcada porque entonces la contraseña no va a sincronizar con Office 365.
En esta páguina encontrará información referente a este tema.
Pedimos a Microsoft y esperamos, como siempre ha sido que revisen el caso y lo traten como una solicitud de revision del problma porque aparentemente afecta a muchos clietes que lo hemos reportado.
Jorge Rivera 5714256010 573102420695 o 573102543061
Enabling Passthrough Authentication fix this issue, keep in mind, Password writeback is also needed.
apparently pass through authentication in Azure AD Connect solves this problem https://samcogan.com/azure-ad-connect-and-the-trouble-with-expired-passwords/
Paul Slade commented
This still appears to be an issue. We have users who don't authenticate to the local AD but do authenticate to O365 services. When setting up the user on local AD with change password on first login this doesn't sync to O365 so they can't login as the error states password is incorrect. Please fix this.
Dustin Newby commented
Agreed. We are a Healthcare organization and we must require users to change their passwords at first login. Many of our users do not authenticate on a PC, so we are going to have to reset them on the portal, and those that are unable to login to a PC will have to be reset in AD. Since both systems have password sync enabled and both systems have the require user to change password feature, it's nonsense that it doesn't replicate.