Forum Discussion
Password Challenges in Microsoft Team
Hi Experts, We are using the Office 365 Business Essentials Service for the last 7 Years. We have the following Setup. Office 365 is connected with Azure AD for Sync User Name and Passwo...
As soon as the password is reset in local AD, and this information is synced to Azure AD, Azure AD will determine that all active tokens are no longer valid and need to be refreshed. This requires the user to authenticate themselves again. You could decide to disable MFA for specific users, but then MFA is disabled under all circumstances (excluding possible Azure AD CA policies), something I do not recommend and you also do not want.
Update: I just realized that potentially you could try and see if Azure AD Connect can be prevented from syncing the last password change time. Which is used by Azure AD to determine if it needs to revoke refresh tokens. Not sure if this attribute can be excluded though. Also still wouldn't recommend it 🙂
pvanberlo
Thanks for giving an explanation.
As i checked the behavior after changing Active Directory / Domain Password users has to enter New Domain Password and MFA Screen.
Lets assume if we disabled MFA but after changing Domain Password We have to enter new password.
Can we eliminate the whole challenging password screens ?
"I just realized that potentially you could try and see if Azure AD Connect can be prevented from syncing the last password change time. Which is used by Azure AD to determine if it needs to revoke refresh tokens. "
Do you think above can be workable scenario ?
Will Azure ADFS can resolve this issue ?
Thanks for giving an explanation.
As i checked the behavior after changing Active Directory / Domain Password users has to enter New Domain Password and MFA Screen.
Lets assume if we disabled MFA but after changing Domain Password We have to enter new password.
Can we eliminate the whole challenging password screens ?
"I just realized that potentially you could try and see if Azure AD Connect can be prevented from syncing the last password change time. Which is used by Azure AD to determine if it needs to revoke refresh tokens. "
Do you think above can be workable scenario ?
Will Azure ADFS can resolve this issue ?
- Even when I had one of my domains set to federated, it would revoke refresh tokens when a password was changed and this info was synced back into Azure AD. To be fair, I've not tested it in a while and I primarily work with cloud only identities nowadays eliminating the need to even have a local AD.
If you disabled MFA, you'd still be presented with a screen to sign-in again anyhow.