Forum Discussion
Force change password at next login on-premise and MS online
Hi
Currently, I have a hybrid environment with AD on-premise, Azure AD sync (with password hash & SSPR), and Exchange Online.
My goal is to force change the password at the next login from on-premise AD to MS online and vice versa.
It's working. When I change the password on-premise AD, MS Online prompts me to change the password. It is not working when I set the account from the Admin center to force the password change at the next login; it does not sync to on-premise AD. The domain computer will not prompt to change password.
Thanks in advance
MS recommend to try this
Install-Module -Name Microsoft.Graph
Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"
Then run this command.
$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.UserForcePasswordChangeOnLogonEnabled = $true
Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $OnPremSync.Id -Features $OnPremSync.Features
1 Reply
This is a limitation from Microsoft, as the "User must change password at next logon" setting does not sync from Entra ID to on-premises AD by default
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#cloudpasswordpolicyforpasswordsyncedusersenabled
I have executed it on a couple of customers and my own test lab :-)
