Forum Discussion

Bronze Contributor

Jan 10, 2023

Solved

Workaround for signing in to AADJ devices with an expired password when using PTA

We are using Azure AD Connect with Pass-Through Authentication enabled. We're having an issue where users are getting an error saying "The sign-in method you're trying to use isn't allowed" if they a...

Azure AD Connect

Ryan Steele
Jan 20, 2023
In the absence of any feedback from Microsoft (either here or from the support technician I've been working with), I think it is safe to assume that the documentation is incorrect and there is no "direct" workaround for the issue.

However, https://www.bilalelhaddouchi.nl/index.php/2022/10/05/temporary-access-pass/ by BilalelHadd is an excellent summary of the Temporary Access Pass feature, which may be a suitable workaround depending on your requirements.

Ryan Steele

Bronze Contributor

Jan 17, 2023

Hi Dipl0,

Thanks for the pointer regarding the -ForcePasswordChangeAtLogOn setting; I did not have it enabled. However, after enabling it, setting the "User must change password" flag on a user, and initiating an AD Connect sync, I'm still seeing the same error.

I suspect that when Jason Fritts https://github.com/MicrosoftDocs/azure-docs/commit/608f60a96121addcdb6cc31fa71a3481558c327f, he simply failed to update the paragraph following, and that PHS is not in fact a workaround for this issue.

I do have a case open with Microsoft Support, so we'll see what comes of that.

jeffj

Brass Contributor

Jan 23, 2023

Did you also change the PW at time of setting the flag? See the purple note here. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

Ryan Steele
Bronze Contributor
Jan 23, 2023
jeffj Yes, I did see that note, and the password is being changed at the same time the flag is being set. Thanks for checking.