Forum Discussion

EntilZha's avatar
EntilZha
Iron Contributor
Jun 24, 2021

Unable to login into Win 10 Azure AD joined device after a PW Change

Issue: Users unable to login into windows 10 azure ad joined device if the On Premises Active Directory option  "User must change password at next login" is checked.  When user logs into Azure AD Joi...
Graph API
Intune
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Jun 25, 2021

Hi,

 

To be sure...

1.There are no Azure Ad connect errors and it has synced successfully?

2. Are you talking about HaaJD or AAJD?

  • EntilZha's avatar
    EntilZha
    Iron Contributor
    Jun 25, 2021

    Thank You for responding to my request.

    The On Prem. AD user account is not disable. Azure AD Block Sign In is "No"
    The Azure Join device is in compliance in Intune.

    Regardless if the password been changed or not if the On Prem. AD user attribute "User must change password at next login" is checked users can not log into the Azure AD Join device; however, if the same user goes to a domain join device their able to log in and change password. If we uncheck that user attribute "User must change password at next login" the user able to log into their Azure AD Join device.

    My organization: over 300k users with about 90k Azure AD Join devices, were in the middle of migrating all devices from domain join to azure join.

    We're using SSPR/MFA with Azure AD Connect (1 ver. behind) with PW writeback enabled.

    Thank You,
    -Larry

    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Jun 27, 2021
      When reading the above correctly... you are skipping the hybrid part and go full cloud. Great 🙂
      I have seen something like this in the past, but this was about some weird password sync issue... maybe it helps your case?

      http://blog.cyberadvisors.com/aadconnect-password-sync-issue-resolved

      And could you make sure this one is enabled?

      On the AD Connect Server, open PowerShell and issue the command Get-ADSyncAADCompanyFeature to check if the ForcePasswordChangeOnLogOn has been set.

      WHen the azure ad connect sync is done.. could you check out the users status if it has been updated?

      Get-AzureADUser -ObjectID username@domain.com | Select PasswordPolicies, PasswordProfile | fl
      • EntilZha's avatar
        EntilZha
        Iron Contributor
        Jun 29, 2021
        Thank You for replying....

        As you requested I check the setting for ForcePasswordChangeOnLogOn, its set to false. After doing a little research, setting this attribute to True should resolve my issue. I submitted a change request to set this attribute to True. Once the change is made and if it resolve my issue or not I'll post the results.

        Thank you again for pointing me in this direction.

        -Larry

Resources