cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

On-premises password changes

Dan Snape
Steel Contributor

‎Mar 21 2017 09:15 PM

‎Mar 21 2017 09:15 PM

On-premises password changes

Is anyone able to descibe the process that occurs during password changes on-premises and how they are synced to Office 365?

In particular a customer is looking to force a lot of their users to reset their AD accounts by ticking the "User must change password at next login" check box. The issue they are having is that this seems to also be stopping users from logging into OWA and Outlook apps on their mobile devices. I was initially under the impression that Office 365 ignored this attribute until the password was changed in AD.

Labels:
3,904 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Mar 22 2017 12:46 AM

‎Mar 22 2017 12:46 AM

Re: On-premises password changes

Afaik it ignores expired passwords, but using this tick is different. If this option (flag) is configured, the password is not synced as per: https://github.com/Microsoft/azure-docs/blob/master/articles/active-directory/connect/active-directo...

0 Likes
Reply
Dan Snape

‎Mar 22 2017 02:40 PM

‎Mar 22 2017 02:40 PM

Re: On-premises password changes

Thanks Vasil.

The thing I don't understand is that these users' passwords were already synced correctly, then the flag was set on the account. So using logic (probably not wise!) the user should be able to continue using the same, already synced password until they change it on-premises. If this is not the case, which it obviously isn't, I'd love to know why and what the actual process is.

When the on-prem AD account is set to User must change password at next logon and AD Connect doesn't sync the password, does this mean it actually removes the existing password for the linked Office 365 account?

0 Likes
Reply
best response confirmed by Dan Snape (Steel Contributor)
Vasil Michev

‎Mar 23 2017 01:39 AM

‎Mar 23 2017 01:39 AM

Solution

Re: On-premises password changes

Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attr...

 

pwdLastSet X   mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.

 

So it makes sense to clear the old (cloud) password at that point too.

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Dan Snape (Steel Contributor)
Vasil Michev

‎Mar 23 2017 01:39 AM

‎Mar 23 2017 01:39 AM

Solution

Re: On-premises password changes

Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attr...

 

pwdLastSet X   mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.

 

So it makes sense to clear the old (cloud) password at that point too.

View solution in original post

2 Likes
Reply