Password change issue

%3CLINGO-SUB%20id%3D%22lingo-sub-798951%22%20slang%3D%22en-US%22%3EPassword%20change%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-798951%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20last%20weeks%20we%20experience%20issue%20with%20users%20changing%20passwords.%3C%2FP%3E%3CP%3EUser%20are%20created%20on%20premise%20in%20the%20Active%20Directory%20and%20synced%20with%20Azure%20AD%20connect%20(where%20are%20still%20running%20version%201.2.70.0).%20New%20users%20get%20a%20temporary%20password%20which%20they%20have%20to%20change%20on%20first%20logon.%3C%2FP%3E%3CP%3EOur%20users%20get%20devices%20which%20are%20setup%20through%20autopilot.%20They%20get%20prompted%20to%20change%20the%20password%20but%20when%20they%20do%20they%20get%20a%20message%20that%20the%20password%20is%20changed%20but%20that%20servers%20have%20process%20this%20change%2C%20resulting%20in%20issue%20that%20user%20cannot%20continue%20to%20setup%20the%20device.%20As%20a%20work%20around%20we%20tell%20them%20to%20turn%20of%20the%20device.%20They%20then%20can%20continue%20through%20the%20autopilot%20process%20because%20the%20password%20is%20already%20changed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20PTA%20and%20PHS%20still%20enabled.%20We%20moved%20form%20ADFS%20with%20PHS%20in%20June%20this%20year%20to%20PTA.%20We%20didn't%20have%20this%20error%20the%20first%20month%20after%20this%20change.%3CBR%20%2F%3EThe%20error%20we%20see%20in%20the%20audit%20logs%20is%26nbsp%3B%3CSPAN%3EOnPremisesSuccessCloudFailure.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20it%20seems%20there%20is%20some%20kind%20of%20delay%20after%20password%20is%20changed%20on%20premise.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20cannot%20anything%20on%20this%20particular%20error%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-798951%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Connect%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-799693%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20change%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-799693%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10381%22%20target%3D%22_blank%22%3E%40Ronald%20Meer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Update%20your%20Azure%20AD%20Connect.%3C%2FP%3E%3CP%3E2.%20How%20are%20you%20users%20changing%20Password%20and%20where%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20Only%20way%20to%20update%20your%20passwords%20for%20users%20is%20to%20give%20them%20SSPR%20(%20Self%20Service%20Password%20Reset%2FChange)%20which%20does%20change%20there%20password%20in%20Cloud%20(%20Azure%20AD)%20and%20not%20On-premise.%20It%20is%20over%20write%20by%20password%20coming%20in%20from%20Local%20AD%20via%20Azure%20AD%20COnnect%20Sync%20every%2030%20minutes.%20If%20you%20configure%20Password%20Write%20Bacl(Additional%20Licensing%20Cost%20-%20pRemium%20Azure%20AD%20License%20needed%20for%20that%20P1%2FP2)%20then%20you%20can%20write%20back%20password%20from%20Azure%20AD%20to%20your%20Local%20AD%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH3%20id%3D%22toc-hId-1599772223%22%20id%3D%22toc-hId-1599772223%22%20id%3D%22toc-hId-1599772223%22%20id%3D%22toc-hId-1599772223%22%3EUpdate%20Azure%20AD%20Connect%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-password-hash-sync%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-password-hash-sync%3C%2FA%3E%26nbsp%3B%20%26amp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-pass-through-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-pass-through-authentication%3C%2FA%3E%3C%2FH3%3E%3CP%3EBoth%20ways%20you%20have%20to%20(Mandate)%20upgrade%20your%20Azure%20AD%20Connect%20Version%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH2%20id%3D%22toc-hId--755871233%22%20id%3D%22toc-hId--755871233%22%20id%3D%22toc-hId--755871233%22%20id%3D%22toc-hId--755871233%22%3EPrerequisites%20for%20migrating%20to%20pass-through%20authentication%3C%2FH2%3E%3CP%3EThe%20following%20prerequisites%20are%20required%20to%20migrate%20from%20using%20AD%20FS%20to%20using%20pass-through%20authentication.%3C%2FP%3E%3CH3%20id%3D%22toc-hId-790425597%22%20id%3D%22toc-hId-790425597%22%20id%3D%22toc-hId-790425597%22%20id%3D%22toc-hId-790425597%22%3EUpdate%20Azure%20AD%20Connect%3C%2FH3%3E%3CP%3ETo%20successfully%20complete%20the%20steps%20it%20takes%20to%20migrate%20to%20using%20pass-through%20authentication%2C%20you%20must%20have%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D47594%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Active%20Directory%20Connect%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(Azure%20AD%20Connect)%201.1.819.0%20or%20a%20later%20version.%20In%20Azure%20AD%20Connect%201.1.819.0%2C%20the%20way%20sign-in%20conversion%20is%20performed%20changes%20significantly.%20The%20overall%20time%20to%20migrate%20from%20AD%20FS%20to%20cloud%20authentication%20in%20this%20version%20is%20reduced%20from%20potentially%20hours%20to%20minutes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAs%20a%20minimum%20to%20successfully%20perform%20the%20steps%20to%20migrate%20to%20password%20hash%20synchronization%2C%20you%20should%20have%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D47594%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20connect%3C%2FA%3E%26nbsp%3B1.1.819.0.%20This%20version%20contains%20significant%20changes%20to%20the%20way%20sign-in%20conversion%20is%20performed%20and%20reduces%20the%20overall%20time%20to%20migrate%20from%20Federation%20to%20Cloud%20Authentication%20from%20potentially%20hours%20to%20minutes.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%20your%20Azure%20AD%20Connect%20and%20you%20should%20be%20all%20fixed%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-801055%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20change%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-801055%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20do%20you%20think%20upgrading%20Azure%20AD%20connect%20will%20fix%20the%20problem%3F%20As%20i%20mentioned%20our%20version%20of%20Azure%20AD%20connect%20is.%201.2.70.0%20which%20is%20a%20higher%20version%26nbsp%3B%3CSPAN%3E1.1.819.0.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ronald Meer
Contributor

The last weeks we experience issue with users changing passwords.

User are created on premise in the Active Directory and synced with Azure AD connect (where are still running version 1.2.70.0). New users get a temporary password which they have to change on first logon.

Our users get devices which are setup through autopilot. They get prompted to change the password but when they do they get a message that the password is changed but that servers have process this change, resulting in issue that user cannot continue to setup the device. As a work around we tell them to turn of the device. They then can continue through the autopilot process because the password is already changed.

 

We use PTA and PHS still enabled. We moved form ADFS with PHS in June this year to PTA. We didn't have this error the first month after this change.
The error we see in the audit logs is OnPremisesSuccessCloudFailure.

So it seems there is some kind of delay after password is changed on premise.

 

I cannot anything on this particular error

 

 

 

2 Replies

@Ronald Meer 

 

1. Update your Azure AD Connect.

2. How are you users changing Password and where ?

the Only way to update your passwords for users is to give them SSPR ( Self Service Password Reset/Change) which does change there password in Cloud ( Azure AD) and not On-premise. It is over write by password coming in from Local AD via Azure AD COnnect Sync every 30 minutes. If you configure Password Write Bacl(Additional Licensing Cost - pRemium Azure AD License needed for that P1/P2) then you can write back password from Azure AD to your Local AD as well.

 

Update Azure AD Connect - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync  & https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authen...

Both ways you have to (Mandate) upgrade your Azure AD Connect Version :) 

 

 

Prerequisites for migrating to pass-through authentication

The following prerequisites are required to migrate from using AD FS to using pass-through authentication.

Update Azure AD Connect

To successfully complete the steps it takes to migrate to using pass-through authentication, you must have Azure Active Directory Connect (Azure AD Connect) 1.1.819.0 or a later version. In Azure AD Connect 1.1.819.0, the way sign-in conversion is performed changes significantly. The overall time to migrate from AD FS to cloud authentication in this version is reduced from potentially hours to minutes.

 

As a minimum to successfully perform the steps to migrate to password hash synchronization, you should have Azure AD connect 1.1.819.0. This version contains significant changes to the way sign-in conversion is performed and reduces the overall time to migrate from Federation to Cloud Authentication from potentially hours to minutes.

 

Update your Azure AD Connect and you should be all fixed :)

 

Cheers !

Ankit Shukla

 

@ankit shukla 

 

Why do you think upgrading Azure AD connect will fix the problem? As i mentioned our version of Azure AD connect is. 1.2.70.0 which is a higher version 1.1.819.0. 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies