Forum Discussion
On-premises password changes
- Mar 23, 2017
Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized
pwdLastSet X mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.
So it makes sense to clear the old (cloud) password at that point too.
Thanks Vasil.
The thing I don't understand is that these users' passwords were already synced correctly, then the flag was set on the account. So using logic (probably not wise!) the user should be able to continue using the same, already synced password until they change it on-premises. If this is not the case, which it obviously isn't, I'd love to know why and what the actual process is.
When the on-prem AD account is set to User must change password at next logon and AD Connect doesn't sync the password, does this mean it actually removes the existing password for the linked Office 365 account?
Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized
pwdLastSet X mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.
So it makes sense to clear the old (cloud) password at that point too.