Forum Discussion

Eric LE CORRE's avatar
Eric LE CORRE
Brass Contributor
Nov 09, 2021

Adconnect and user password change

Hello and sorry for my bad english 🙂

 

I use Adconnect and office 365, i am in hybrid mode. So adconnect synchronize users from active directory to AzureAD. And all my users use Onedrive and Teams.

 

I have a big problem when users change their active directory password :
Windows ask for change password
User change the password and their session is open
But the new password is not already send with ADconnect to Office 365
So, the session is open but there is an authentification error with Onedrive and Teams
Users have to wait few minutes (3-5 minutes) for Ad connect send new password to O365
So, they have to restart the computer after that or logout the session and logon again to have Onedrive and Teams

As you can read, it is not very cool. I know it is possible to configure ADFS. But there is no solution for that with Adconnect ? 

thanks a lot

Authentication
security

5 Replies

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Nov 24, 2021

    Hi Eric LE CORRE,

     

    I know this is not the answer you are looking for, but the synchronization runs every 2 minutes. You cannot modify the frequency of this process. A synchronization between on-premise and Azure AD can be forced, but in this case, I would not recommend this.

     

    I suggest you use Azure AD Password Writeback and let the user change their password in the Cloud instead of on their local clients. Therefore you also need to configure the so-called "EnforceCloudPasswordPolicyForPasswordSyncedUsers" feature. This is required to comply with the on-premise password expiration policy with Azure AD. I've written a blog about this. More information can be found here: 

    https://www.bilalelhaddouchi.nl/index.php/2020/09/24/comply-your-ad-password-expiration-policy-with-azure-ad/

     

    And, of course the Microsoft Docs:

    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

    • Eric LE CORRE's avatar
      Eric LE CORRE
      Brass Contributor
      Nov 24, 2021
      hello,

      thank you. Yes, i found this solution like you said.

      it is necessary or not to have Azure P1 licences for all my users to have password write back functionnality ?

      thanks
      • BilalelHadd's avatar
        BilalelHadd
        Iron Contributor
        Nov 24, 2021
        Hi Eric,

        Yes, it is mandatory to have an Azure AD P1 license to get this functionality working. It will work for all users. But legal-wise, you should have enough P1 licenses available in your tenant to comply.

Resources