Forum Discussion
Migration to Cloud Sync (passwords)
We want to migrate from AAD Connect Sync to Cloud Sync.
When provisioning new users we could use temporarily passwords in AAD Connect Sync, through this feature:
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true
Is this feature still available in Cloud Sync? If not what is the workaround?
5 Replies
VasilMichevI'm afraid that's AAD Connect sync only, unless someone has other experience.
When looking at the docs of Cloud sync, there is no reference to ForcePasswordChangeOnLogOn or userForcePasswordChangeOnLogonEnabled.
I'm looking for confirmation that this scenario is indeed not supported when using Cloud Sync. According to the MS docs, not even the password get synced when "change password on next logon" is set in AD.
What happens when a synced user is required to change password on next logon?
If password hash sync is enabled in cloud sync and the synced user is required to change password on next logon in on-premises AD, cloud sync doesn't provision the "to-be-changed" password hash to Microsoft Entra ID. Once the user changes the password, the user password hash is provisioned from AD to Microsoft Entra ID.
Please provide some additional details. What are you trying to accomplish?
I'm not sure if it's dependent on the "sync client", but you can certainly toggle in on the backend. It's just done via Graph now, via the onPremisesDirectorySynchronization endpoint and specifically the onPremisesDirectorySynchronizationFeature resource: https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronizationfeature?view=graph-rest-1.0
Maybe I'm missing what you are trying to acomplish, but shouln't it be enough to enable password writeback and check "user must reset password on next logon" on the user in AD DS?
Maybe I'm missing what you are trying to do, but shouldn't be enough to have password writeback enabled and create users in AD DS with "user must reset password" checked?
