Forum Discussion

Ryan Steele's avatar
Ryan Steele
Bronze Contributor
Jan 10, 2023
Solved

Workaround for signing in to AADJ devices with an expired password when using PTA

We are using Azure AD Connect with Pass-Through Authentication enabled. We're having an issue where users are getting an error saying "The sign-in method you're trying to use isn't allowed" if they a...
Azure AD Connect
  • Ryan Steele's avatar
    Ryan Steele
    Jan 20, 2023

    In the absence of any feedback from Microsoft (either here or from the support technician I've been working with), I think it is safe to assume that the documentation is incorrect and there is no "direct" workaround for the issue.

     

    However, https://www.bilalelhaddouchi.nl/index.php/2022/10/05/temporary-access-pass/ by BilalelHadd is an excellent summary of the Temporary Access Pass feature, which may be a suitable workaround depending on your requirements.

Ryan Steele's avatar
Ryan Steele
Bronze Contributor
Jan 16, 2023

Hi PeterRising, and thanks for your response. The primary use case here is for newly created user accounts. When a new account is created, we set a temporary password and provide it to the user for them to use to sign in for the first time, but we want to ensure that the user does not continue to use that password.

 

I suppose we could either a.) not provide the end user with the temporary password and force them to use SSPR at first sign-in, or b.) leave the "User must change password" flag unset, provide the temporary password to the user, and enforce the password change through some other mechanism.

 

I'm interested to hear how other organizations are handling this.

Dipl0's avatar
Dipl0
Copper Contributor
Jan 17, 2023
Whilst looking into this further, have you ensured the -forcepasswordchangeonlogon is enabled? I see you mention you have PHS enabled which seems to be half the answer?
  • Ryan Steele's avatar
    Ryan Steele
    Bronze Contributor
    Jan 17, 2023

    Hi Dipl0,

     

    Thanks for the pointer regarding the -ForcePasswordChangeAtLogOn setting; I did not have it enabled. However, after enabling it, setting the "User must change password" flag on a user, and initiating an AD Connect sync, I'm still seeing the same error.

     

    I suspect that when Jason Fritts https://github.com/MicrosoftDocs/azure-docs/commit/608f60a96121addcdb6cc31fa71a3481558c327f, he simply failed to update the paragraph following, and that PHS is not in fact a workaround for this issue.

     

    I do have a case open with Microsoft Support, so we'll see what comes of that.

    • jeffj's avatar
      jeffj
      Brass Contributor
      Jan 23, 2023
      Did you also change the PW at time of setting the flag? See the purple note here. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon
      • Ryan Steele's avatar
        Ryan Steele
        Bronze Contributor
        Jan 23, 2023

        jeffj Yes, I did see that note, and the password is being changed at the same time the flag is being set. Thanks for checking.