SOLVED
Home

On-premises password changes

%3CLINGO-SUB%20id%3D%22lingo-sub-55339%22%20slang%3D%22en-US%22%3EOn-premises%20password%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55339%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20anyone%20able%20to%20descibe%20the%20process%20that%20occurs%20during%20password%20changes%20on-premises%20and%20how%20they%20are%20synced%20to%20Office%20365%3F%3C%2FP%3E%3CP%3EIn%20particular%20a%20customer%20is%20looking%20to%20force%20a%20lot%20of%20their%20users%20to%20reset%20their%20AD%20accounts%20by%20ticking%20the%20%22User%20must%20change%20password%20at%20next%20login%22%20check%20box.%20The%20issue%20they%20are%20having%20is%20that%20this%20seems%20to%20also%20be%20stopping%20users%20from%20logging%20into%20OWA%20and%20Outlook%20apps%20on%20their%20mobile%20devices.%20I%20was%20initially%20under%20the%20impression%20that%20Office%20365%20ignored%20this%20attribute%20until%20the%20password%20was%20changed%20in%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-55339%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56090%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20password%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56090%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20I%20havent%20seen%20any%20document%20detailing%20this%2C%20but%20here's%20what%20I%20make%20of%20it.%20The%20thing%20is%20the%20attribute%20pwdLastSet%20(which%20is%200-ed%20when%20you%20select%20this%20checkbox)%20is%20synced%20to%20Azure%20AD%20*and*%20it%20signals%20the%20need%20to%20clear%20all%20existing%20tokens.%20As%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnectsync-attributes-synchronized%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnectsync-attributes-synchronized%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EpwdLastSet%26nbsp%3BX%26nbsp%3B%26nbsp%3B%26nbsp%3Bmechanical%20property.%20Used%20to%20know%20when%20to%20invalidate%20already%20issued%20tokens.%20Used%20by%20both%20password%20sync%20and%20federation.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20makes%20sense%20to%20clear%20the%20old%20(cloud)%20password%20at%20that%20point%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55969%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20password%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55969%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil.%3C%2FP%3E%3CP%3EThe%20thing%20I%20don't%20understand%20is%20that%20these%20users'%20passwords%20were%20already%20synced%20correctly%2C%20then%20the%20flag%20was%20set%20on%20the%20account.%20So%20using%20logic%20(probably%20not%20wise!)%20the%20user%20should%20be%20able%20to%20continue%20using%20the%20same%2C%20already%20synced%20password%20until%20they%20change%20it%20on-premises.%20If%20this%20is%20not%20the%20case%2C%20which%20it%20obviously%20isn't%2C%20I'd%20love%20to%20know%20why%20and%20what%20the%20actual%20process%20is.%3C%2FP%3E%3CP%3EWhen%20the%20on-prem%20AD%20account%20is%20set%20to%20%3CSTRONG%3EUser%20must%20change%20password%20at%20next%20logon%3C%2FSTRONG%3E%20and%20AD%20Connect%20doesn't%20sync%20the%20password%2C%20does%20this%20mean%20it%20actually%20removes%20the%20existing%20password%20for%20the%20linked%20Office%20365%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55368%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20password%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55368%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%20it%20ignores%20expired%20passwords%2C%20but%20using%20this%20tick%20is%20different.%20If%20this%20option%20(flag)%20is%20configured%2C%20the%20password%20is%20not%20synced%20as%20per%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Factive-directory%2Fconnect%2Factive-directory-aadconnectsync-troubleshoot-password-synchronization.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Factive-directory%2Fconnect%2Factive-directory-aadconnectsync-troubleshoot-password-synchronization.md%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Dan Snape
Contributor

Is anyone able to descibe the process that occurs during password changes on-premises and how they are synced to Office 365?

In particular a customer is looking to force a lot of their users to reset their AD accounts by ticking the "User must change password at next login" check box. The issue they are having is that this seems to also be stopping users from logging into OWA and Outlook apps on their mobile devices. I was initially under the impression that Office 365 ignored this attribute until the password was changed in AD.

3 Replies

Afaik it ignores expired passwords, but using this tick is different. If this option (flag) is configured, the password is not synced as per: https://github.com/Microsoft/azure-docs/blob/master/articles/active-directory/connect/active-directo...

Thanks Vasil.

The thing I don't understand is that these users' passwords were already synced correctly, then the flag was set on the account. So using logic (probably not wise!) the user should be able to continue using the same, already synced password until they change it on-premises. If this is not the case, which it obviously isn't, I'd love to know why and what the actual process is.

When the on-prem AD account is set to User must change password at next logon and AD Connect doesn't sync the password, does this mean it actually removes the existing password for the linked Office 365 account?

Solution

Well, I havent seen any document detailing this, but here's what I make of it. The thing is the attribute pwdLastSet (which is 0-ed when you select this checkbox) is synced to Azure AD *and* it signals the need to clear all existing tokens. As per https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attr...

 

pwdLastSet X   mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation.

 

So it makes sense to clear the old (cloud) password at that point too.

Related Conversations
What's new in Edge insider Canary Version 79.0.284
HotCakeX in Discussions on
20 Replies
Password Generation and Password Reveal are Not working
HotCakeX in Discussions on
5 Replies
Re-request password
Serhii Zahuba in Outlook on
9 Replies
Bug in Edge insider password manager
HotCakeX in Discussions on
15 Replies
Some of the latest Edge Canary changes
HotCakeX in Discussions on
0 Replies