Azure AD Connect – You can now synchronize your password policy and force the password change at next logon (preview)

As you know, you have been able to synchronize your user’s passwords with Azure AD Connect for quite some time now thanks to the password hash synchronization feature.

However, there has been a small gap there: you were not able to get the “User must change password at next logon” attribute value synchronized to request the user to change the password when logging on Microsoft cloud services (Office 365 and/or Azure). This impacts off course the logon process (especially for new user account) when logging on Windows 10 Azure AD Joined device.

Another issue is with password policies: you have one defined in your Active Directory and another one defined in your Azure AD/Office 365 tenant. Their configuration should match but the cloud password policy did not apply to synchronized users, making it difficult to comply with password expiration as end user would not be requested to change their password when login only on Microsoft cloud services or with Windows 10 Azure AD Joined.

Well, good news, you now have the ability to request Azure AD Connect to get this ‘change password at next logon’ and the password policy being synced to Azure AD.

 

Change the password at next logon

Off course, if you plan to use this capability it is highly recommended to enable Self-Service Password Reset (SSPR) and password write-back to allow updated user’s password being synced back to your Active Directory; otherwise your user will be able to change the password and access Microsoft cloud services but then will fail to logon to resources on your on-premises as the password will not be valid.

To enable this capability (in preview), you need to run the below PowerShell command from the Azure AD Connect server (as you need to have the Azure AD Connect module)

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

image_thumb[1]

Once completed, it should then show all AADCompanyFeature and their state; the new ‘ForcePasswordChangeOnLogon’ should then show true

image_thumb[2]

As always, you can also check if the feature has been already enabled using the below command and check the value for ForcePasswordChangeOnLogOn

Get-ADSyncAADCompanyFeature

Then you just need to have the “User must change password at next logon” attribute check on the user account and get the directory synchronization completed.

image_thumb[3]

You can check the PasswordProfile user’s property in Azure AD using the below command to confirm the presence of ForceChangePasswordNextLogin set to true (note: I have selected DirSyncEnabled attribute just for the purpose of this post)

Get-AzureADUser –ObjectID <UPN of the user account> | fl DirSyncEnabled,PasswordProfile

The screenshots below show the PasswordProfile property before and after enabling the feature; notice the PasswordProfile is empty before

image_thumb[5]  image_thumb[4]

You can also check the Application event log on the Azure AD Connect server for the directory synchronization/password synchronization event 657 and look for the PwdChangeOnLogon=True in the description details

And as (expected) result, your user will be requested to change his password when logging on Microsoft cloud services (including opening a Windows session on a Windows 10 Azure AD Joined device)

image_thumb[6]

 

Enforce Cloud Password Policy

To enable this feature, use the below PowerShell commands

Connect-MsolService

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

When requested to enable the feature, type Yes and confirm the execution

image_thumb[7]

You can then check if the feature has been successfully enabled using the command

Get-MsolDirSyncFeatures

And check for the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature which then should show as Enabled: True

image_thumb[8]

When the feature is disabled (default configuration), the PasswordPolicies property in Azure AD is set to DisablePasswordExpiration.

After activating the feature, at the next password synchronization the value of the PasswordPolicies will then be set to None

The below screenshots show the PasswordPolicies before and after activating the feature

image_thumb[9]  image_thumb[10]

NOTE if synchronized users need to have the password to never expirer (let say for service accounts for example), you will need to manually reassign the DisablePasswordExpiration value to the PasswordPolicies after enabling this feature

Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies “DisablePasswordExpiration”

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Book a Demo

Your Name (required)

Your Email (required)

Phone Number(Optional)

Ask a Question

Your Name (required)

Your Email (required)

Phone Number(Optional)

Your Message

Book Assessment

Evaluate your modern workplace security posture and validate it against current best practices with a Microsoft Secure Score Assessment, from cubesys

Your Name (required)

Your Email (required)

Phone Number(Optional)

Book your Windows Analytics Deployment

Your Name (required)

Your Email (required)

Phone Number(Optional)