As you know, you have been able to synchronize your user’s passwords with Azure AD Connect for quite some time now thanks to the password hash synchronization feature.
However, there has been a small gap there: you were not able to get the “User must change password at next logon” attribute value synchronized to request the user to change the password when logging on Microsoft cloud services (Office 365 and/or Azure). This impacts off course the logon process (especially for new user account) when logging on Windows 10 Azure AD Joined device.
Another issue is with password policies: you have one defined in your Active Directory and another one defined in your Azure AD/Office 365 tenant. Their configuration should match but the cloud password policy did not apply to synchronized users, making it difficult to comply with password expiration as end user would not be requested to change their password when login only on Microsoft cloud services or with Windows 10 Azure AD Joined.
Well, good news, you now have the ability to request Azure AD Connect to get this ‘change password at next logon’ and the password policy being synced to Azure AD.
Change the password at next logon
Off course, if you plan to use this capability it is highly recommended to enable Self-Service Password Reset (SSPR) and password write-back to allow updated user’s password being synced back to your Active Directory; otherwise your user will be able to change the password and access Microsoft cloud services but then will fail to logon to resources on your on-premises as the password will not be valid.
To enable this capability (in preview), you need to run the below PowerShell command from the Azure AD Connect server (as you need to have the Azure AD Connect module)
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true
Once completed, it should then show all AADCompanyFeature and their state; the new ‘ForcePasswordChangeOnLogon’ should then show true
As always, you can also check if the feature has been already enabled using the below command and check the value for ForcePasswordChangeOnLogOn
Get-ADSyncAADCompanyFeature
Then you just need to have the “User must change password at next logon” attribute check on the user account and get the directory synchronization completed.
You can check the PasswordProfile user’s property in Azure AD using the below command to confirm the presence of ForceChangePasswordNextLogin set to true (note: I have selected DirSyncEnabled attribute just for the purpose of this post)
Get-AzureADUser –ObjectID <UPN of the user account> | fl DirSyncEnabled,PasswordProfile
The screenshots below show the PasswordProfile property before and after enabling the feature; notice the PasswordProfile is empty before
You can also check the Application event log on the Azure AD Connect server for the directory synchronization/password synchronization event 657 and look for the PwdChangeOnLogon=True in the description details
And as (expected) result, your user will be requested to change his password when logging on Microsoft cloud services (including opening a Windows session on a Windows 10 Azure AD Joined device)
Enforce Cloud Password Policy
To enable this feature, use the below PowerShell commands
Connect-MsolService
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
When requested to enable the feature, type Yes and confirm the execution
You can then check if the feature has been successfully enabled using the command
Get-MsolDirSyncFeatures
And check for the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature which then should show as Enabled: True
When the feature is disabled (default configuration), the PasswordPolicies property in Azure AD is set to DisablePasswordExpiration.
After activating the feature, at the next password synchronization the value of the PasswordPolicies will then be set to None
The below screenshots show the PasswordPolicies before and after activating the feature
NOTE if synchronized users need to have the password to never expirer (let say for service accounts for example), you will need to manually reassign the DisablePasswordExpiration value to the PasswordPolicies after enabling this feature
Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies “DisablePasswordExpiration”
Is this still a valid method since AzureAdconnect version 2.x?
Yes, off course