Azure AD Connect – You can now synchronize your password policy and force the password change at next logon (preview)

As you know, you have been able to synchronize your user’s passwords with Azure AD Connect for quite some time now thanks to the password hash synchronization feature.

However, there has been a small gap there: you were not able to get the “User must change password at next logon” attribute value synchronized to request the user to change the password when logging on Microsoft cloud services (Office 365 and/or Azure). This impacts off course the logon process (especially for new user account) when logging on Windows 10 Azure AD Joined device.

Another issue is with password policies: you have one defined in your Active Directory and another one defined in your Azure AD/Office 365 tenant. Their configuration should match but the cloud password policy did not apply to synchronized users, making it difficult to comply with password expiration as end user would not be requested to change their password when login only on Microsoft cloud services or with Windows 10 Azure AD Joined.

Well, good news, you now have the ability to request Azure AD Connect to get this ‘change password at next logon’ and the password policy being synced to Azure AD.

 

Change the password at next logon

Off course, if you plan to use this capability it is highly recommended to enable Self-Service Password Reset (SSPR) and password write-back to allow updated user’s password being synced back to your Active Directory; otherwise your user will be able to change the password and access Microsoft cloud services but then will fail to logon to resources on your on-premises as the password will not be valid.

To enable this capability (in preview), you need to run the below PowerShell command from the Azure AD Connect server (as you need to have the Azure AD Connect module)

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

image

Once completed, it should then show all AADCompanyFeature and their state; the new ‘ForcePasswordChangeOnLogon’ should then show true

image

As always, you can also check if the feature has been already enabled using the below command and check the value for ForcePasswordChangeOnLogOn

Get-ADSyncAADCompanyFeature

Then you just need to have the “User must change password at next logon” attribute check on the user account and get the directory synchronization completed.

image

You can check the PasswordProfile user’s property in Azure AD using the below command to confirm the presence of ForceChangePasswordNextLogin set to true (note: I have selected DirSyncEnabled attribute just for the purpose of this post)

Get-AzureADUser –ObjectID <UPN of the user account> | fl DirSyncEnabled,PasswordProfile

The screenshots below show the PasswordProfile property before and after enabling the feature; notice the PasswordProfile is empty before

image  image

You can also check the Application event log on the Azure AD Connect server for the directory synchronization/password synchronization event 657 and look for the PwdChangeOnLogon=True in the description details

And as (expected) result, your user will be requested to change his password when logging on Microsoft cloud services (including opening a Windows session on a Windows 10 Azure AD Joined device)

image

 

Enforce Cloud Password Policy

To enable this feature, use the below PowerShell commands

Connect-MsolService

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

When requested to enable the feature, type Yes and confirm the execution

image

You can then check if the feature has been successfully enabled using the command

Get-MsolDirSyncFeatures

And check for the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature which then should show as Enabled: True

image

When the feature is disabled (default configuration), the PasswordPolicies property in Azure AD is set to DisablePasswordExpiration.

After activating the feature, at the next password synchronization the value of the PasswordPolicies will then be set to None

The below screenshots show the PasswordPolicies before and after activating the feature

image  image

NOTE if synchronized users need to have the password to never expirer (let say for service accounts for example), you will need to manually reassign the DisablePasswordExpiration value to the PasswordPolicies after enabling this feature

Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies “DisablePasswordExpiration”

2 thoughts on “Azure AD Connect – You can now synchronize your password policy and force the password change at next logon (preview)”

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.