Forum Discussion
Users are getting a "change your password" notification that won't go away
Several users have reported that Office 365 (specifically, SharePoint, but the Office 365 portal shows it too) keeps showing them a notification that says "your password will expire in X days" with a...
VasilMichev, thanks for your reply.
I came across that in my searching as well, but when I looked at our claims rules, it appears we already have those claims being sent. Here's the rule we have:
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]
=> issue(store = "_PasswordExpiryStore", types = ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value);
I'd suggest changing the corresponding attributes and capture the full list of claims being sent.
I'm not sure which attributes you're referring to.
Well yes, because you are sending the claim you get the notification in O365. However, if the claim is set in error, this can explain the behavior you are observing. So my point was to check the actual claim being sent for one of those users, which you can do by using the event logs or via tools such as Claims X-Ray: https://adfshelp.microsoft.com/ClaimsXray/TokenRequest
VasilMichev Thanks for that. I just did some testing with the Claims X-Ray tool, adding in the claim rule I mentioned before.
I tested with one of the original users facing this issue. She has recently changed her password. On "Forms" authentication, she only has the "passwordexpirationtime" claim. On WIA, no password expiration claims are sent.
I tested with another user, whose password will expire in a few days. On "Forms" authentication, she is receiving the "passwordexpirationtime", "passwordexpirationdays", and "passwordchangeurl" claims. On WIA method, again, no password expiration claims are sent.
Doing a little more testing, here's what seems to be happening:
Using the "Windows Integrated Authentication" method, no password expiration claims are sent at all. (This is our users' default method because we have our ADFS server address in the Local Intranet zone so users aren't required to enter their password in browsers on their workstations.)
Using the "Forms" authentication method, the following claims are being sent:
- passwordexpirationtime* – sent to all users (twice, if their password will soon expire)
- passwordexpirationdays – only being sent to users whose passwords will soon expire
- passwordchangeurl – again, this is only being sent for users with passwords soon to expire