Forum Discussion

EntilZha's avatar
EntilZha
Iron Contributor
Jun 24, 2021

Unable to login into Win 10 Azure AD joined device after a PW Change

Issue: Users unable to login into windows 10 azure ad joined device if the On Premises Active Directory option  "User must change password at next login" is checked.  When user logs into Azure AD Joi...
Graph API
Intune
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Jun 25, 2021

Hi,

 

To be sure...

1.There are no Azure Ad connect errors and it has synced successfully?

2. Are you talking about HaaJD or AAJD?

EntilZha's avatar
EntilZha
Iron Contributor
Jun 25, 2021

Thank You for responding to my request.

The On Prem. AD user account is not disable. Azure AD Block Sign In is "No"
The Azure Join device is in compliance in Intune.

Regardless if the password been changed or not if the On Prem. AD user attribute "User must change password at next login" is checked users can not log into the Azure AD Join device; however, if the same user goes to a domain join device their able to log in and change password. If we uncheck that user attribute "User must change password at next login" the user able to log into their Azure AD Join device.

My organization: over 300k users with about 90k Azure AD Join devices, were in the middle of migrating all devices from domain join to azure join.

We're using SSPR/MFA with Azure AD Connect (1 ver. behind) with PW writeback enabled.

Thank You,
-Larry

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Jun 27, 2021
    When reading the above correctly... you are skipping the hybrid part and go full cloud. Great 🙂
    I have seen something like this in the past, but this was about some weird password sync issue... maybe it helps your case?

    http://blog.cyberadvisors.com/aadconnect-password-sync-issue-resolved

    And could you make sure this one is enabled?

    On the AD Connect Server, open PowerShell and issue the command Get-ADSyncAADCompanyFeature to check if the ForcePasswordChangeOnLogOn has been set.

    WHen the azure ad connect sync is done.. could you check out the users status if it has been updated?

    Get-AzureADUser -ObjectID username@domain.com | Select PasswordPolicies, PasswordProfile | fl
    • EntilZha's avatar
      EntilZha
      Iron Contributor
      Jun 29, 2021
      Thank You for replying....

      As you requested I check the setting for ForcePasswordChangeOnLogOn, its set to false. After doing a little research, setting this attribute to True should resolve my issue. I submitted a change request to set this attribute to True. Once the change is made and if it resolve my issue or not I'll post the results.

      Thank you again for pointing me in this direction.

      -Larry
      • Berri1015's avatar
        Berri1015
        Copper Contributor
        Oct 21, 2022

        Larry Jones

        Hello Larry, 
        Were you able to solve your problem? If so what solution did you use. 
        I am having almost the same problem.
We have 200 users with computers in azure joined. Self-service password is enabled.
         Azure AD Connet is also used.
When the user's password expires when they change the password from 
        self-service password, the change is OK but the computer does not take 
        the new password into account. 
        He is forced to authenticate with the old password to log on to his computer
         while Office 365 applications authenticate with the new password. 
        We looked at the log files, we don't see any errors.

         

Resources