Forum Discussion
Solved
Password Expiry/Reset
Is it possible to have when a user's password expires it logs that user out so they are forced to reset it. Currently the notification appears for the user but they only have to reset it when they lo...
Hi JamesCumberton,
Technically, you can. In our organization we wanted to force sign-out users when their accounts get disabled or passwords are reset/changed, and so instead of waiting for the Azure refresh token to expire we solved the situation by running the following cmdlet when that action occurs:
Set-MsolUser -UserPrincipalName $User -StsRefreshTokensValidFrom (get-date)The key is, you'll need an interceptor to trigger this action when the condition occurs. If your domain is federated, it's your your on-premise AD should have a interceptor that can catch when password change/password expiry/account disable happens, and then execute the MSOL cmdlet to revoke the Azure token (or like how we have done, place the script in an Azure runbook, create a webhook, and have the AD interceptor call the Webhook and pass the username).
Hi JamesCumberton,
Technically, you can. In our organization we wanted to force sign-out users when their accounts get disabled or passwords are reset/changed, and so instead of waiting for the Azure refresh token to expire we solved the situation by running the following cmdlet when that action occurs:
Set-MsolUser -UserPrincipalName $User -StsRefreshTokensValidFrom (get-date)
The key is, you'll need an interceptor to trigger this action when the condition occurs. If your domain is federated, it's your your on-premise AD should have a interceptor that can catch when password change/password expiry/account disable happens, and then execute the MSOL cmdlet to revoke the Azure token (or like how we have done, place the script in an Azure runbook, create a webhook, and have the AD interceptor call the Webhook and pass the username).
What interceptor are you referring to? I have ticket open with microsoft and they are telling me this can't be done and have no idea what you are referring to.
whitephnx2 The interceptor we use is MIM, but it can be anything. If you have an email notification whenever the password is reset, you can create a rule to Bcc a copy of that notification to a shared mailbox, and have Power Automate (for instance) revoke the token when a notification mail arrives.
