Forum Discussion
On-premises password changes
Is anyone able to descibe the process that occurs during password changes on-premises and how they are synced to Office 365?
In particular a customer is looking to force a lot of their users to reset their AD accounts by ticking the "User must change password at next login" check box. The issue they are having is that this seems to also be stopping users from logging into OWA and Outlook apps on their mobile devices. I was initially under the impression that Office 365 ignored this attribute until the password was changed in AD.
Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized
pwdLastSet X mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.
So it makes sense to clear the old (cloud) password at that point too.
Afaik it ignores expired passwords, but using this tick is different. If this option (flag) is configured, the password is not synced as per: https://github.com/Microsoft/azure-docs/blob/master/articles/active-directory/connect/active-directory-aadconnectsync-troubleshoot-password-synchronization.md
- Dan_SnapeSteel Contributor
Thanks Vasil.
The thing I don't understand is that these users' passwords were already synced correctly, then the flag was set on the account. So using logic (probably not wise!) the user should be able to continue using the same, already synced password until they change it on-premises. If this is not the case, which it obviously isn't, I'd love to know why and what the actual process is.
When the on-prem AD account is set to User must change password at next logon and AD Connect doesn't sync the password, does this mean it actually removes the existing password for the linked Office 365 account?
Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized
pwdLastSet X mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.
So it makes sense to clear the old (cloud) password at that point too.