Forum Discussion
Workaround for signing in to AADJ devices with an expired password when using PTA
In the absence of any feedback from Microsoft (either here or from the support technician I've been working with), I think it is safe to assume that the documentation is incorrect and there is no "direct" workaround for the issue.
However, https://www.bilalelhaddouchi.nl/index.php/2022/10/05/temporary-access-pass/ by BilalelHadd is an excellent summary of the Temporary Access Pass feature, which may be a suitable workaround depending on your requirements.
Hi PeterRising, and thanks for your response. The primary use case here is for newly created user accounts. When a new account is created, we set a temporary password and provide it to the user for them to use to sign in for the first time, but we want to ensure that the user does not continue to use that password.
I suppose we could either a.) not provide the end user with the temporary password and force them to use SSPR at first sign-in, or b.) leave the "User must change password" flag unset, provide the temporary password to the user, and enforce the password change through some other mechanism.
I'm interested to hear how other organizations are handling this.
Hi Ryan,
We are in the exact same scenario here. Both with Newly created and expired passwords.
Our current on prem devices obviously prompt up to update the password, we obviously assumed this would work in the same way. We started rolling out some devices on Azure AD only before moving everything.
We are currently implementing the Password Hash Sync to see whether this helps. Happy to feed back on how it went! It would be interesting to hear if you managed to get around this?