The last weeks we experience issue with users changing passwords.
User are created on premise in the Active Directory and synced with Azure AD connect (where are still running version 188.8.131.52). New users get a temporary password which they have to change on first logon.
Our users get devices which are setup through autopilot. They get prompted to change the password but when they do they get a message that the password is changed but that servers have process this change, resulting in issue that user cannot continue to setup the device. As a work around we tell them to turn of the device. They then can continue through the autopilot process because the password is already changed.
We use PTA and PHS still enabled. We moved form ADFS with PHS in June this year to PTA. We didn't have this error the first month after this change. The error we see in the audit logs is OnPremisesSuccessCloudFailure.
So it seems there is some kind of delay after password is changed on premise.
2. How are you users changing Password and where ?
the Only way to update your passwords for users is to give them SSPR ( Self Service Password Reset/Change) which does change there password in Cloud ( Azure AD) and not On-premise. It is over write by password coming in from Local AD via Azure AD COnnect Sync every 30 minutes. If you configure Password Write Bacl(Additional Licensing Cost - pRemium Azure AD License needed for that P1/P2) then you can write back password from Azure AD to your Local AD as well.
Both ways you have to (Mandate) upgrade your Azure AD Connect Version :)
Prerequisites for migrating to pass-through authentication
The following prerequisites are required to migrate from using AD FS to using pass-through authentication.
Update Azure AD Connect
To successfully complete the steps it takes to migrate to using pass-through authentication, you must haveAzure Active Directory Connect(Azure AD Connect) 1.1.819.0 or a later version. In Azure AD Connect 1.1.819.0, the way sign-in conversion is performed changes significantly. The overall time to migrate from AD FS to cloud authentication in this version is reduced from potentially hours to minutes.
As a minimum to successfully perform the steps to migrate to password hash synchronization, you should have Azure AD connect 1.1.819.0. This version contains significant changes to the way sign-in conversion is performed and reduces the overall time to migrate from Federation to Cloud Authentication from potentially hours to minutes.
Update your Azure AD Connect and you should be all fixed :)