Password Challenges in Microsoft Team

%3CLINGO-SUB%20id%3D%22lingo-sub-2715374%22%20slang%3D%22en-US%22%3EPassword%20Challenges%20in%20Microsoft%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2715374%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Experts%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20the%20Office%20365%20Business%20Essentials%20Service%20for%20the%20last%207%20Years.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20the%20following%20Setup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EOffice%20365%20is%20connected%20with%20Azure%20AD%20for%20Sync%20User%20Name%20and%20Password%20of%20Local%20Active%20Directory%20with%20Office%20365%20Azure.%20(Pass-through%20Authentication)%3C%2FLI%3E%3CLI%3EWe%20have%20Domain%20Controller%20with%20Single%20Forest%20and%20Multiple%20Domain%20Controller%3C%2FLI%3E%3CLI%3EUsers%20are%20Configured%20with%20Multifactor%20Authentication%3C%2FLI%3E%3C%2FOL%3E%3CP%3EProblem%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20users%20are%20not%20happy%20when%20their%20local%20AD%20Password%20changes%20after%2030%20Days%20(As%20Per%20Organizational%20Policy)%20the%20Microsoft%20Challenges%20them%20to%20re-enter%20newly%20change%20AD%20Password%20in%20some%20cases%20and%20MFA%20prompt%20however%20Microsoft%20Outlook%202013%20(Desktop%20Version)%20does%20not%20ask%20to%20re-enter%20password%20the%20reason%20could%20be%20we%20had%20to%20save%20Application%20Password%20(App%20Password).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20One%20Drive%20Sync%20Client%20also%20asks%20for%20a%20re-authentication%20like%20Microsoft%20Team%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20so%20we%20can%20bypass%20this%20password%20prompt%20%2F%20MFA%20prompt%20once%20a%20user%20changes%20the%20local%20AD%20Password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2715374%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2715546%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Challenges%20in%20Microsoft%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2715546%22%20slang%3D%22en-US%22%3EDo%20you%20mean%20only%20in%20that%20particular%20case%20and%20have%20MFA%20enabled%20for%20any%20other%20case%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2715742%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Challenges%20in%20Microsoft%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2715742%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20soon%20as%20the%20password%20is%20reset%20in%20local%20AD%2C%20and%20this%20information%20is%20synced%20to%20Azure%20AD%2C%20Azure%20AD%20will%20determine%20that%20all%20active%20tokens%20are%20no%20longer%20valid%20and%20need%20to%20be%20refreshed.%20This%20requires%20the%20user%20to%20authenticate%20themselves%20again.%20You%20could%20decide%20to%20disable%20MFA%20for%20specific%20users%2C%20but%20then%20MFA%20is%20disabled%20under%20all%20circumstances%20(excluding%20possible%20Azure%20AD%20CA%20policies)%2C%20something%20I%20do%20not%20recommend%20and%20you%20also%20do%20not%20want.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUpdate%3C%2FSTRONG%3E%3A%20I%20just%20realized%20that%20potentially%20you%20could%20try%20and%20see%20if%20Azure%20AD%20Connect%20can%20be%20prevented%20from%20syncing%20the%20last%20password%20change%20time.%20Which%20is%20used%20by%20Azure%20AD%20to%20determine%20if%20it%20needs%20to%20revoke%20refresh%20tokens.%20Not%20sure%20if%20this%20attribute%20can%20be%20excluded%20though.%20Also%20still%20wouldn't%20recommend%20it%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2715867%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Challenges%20in%20Microsoft%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2715867%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F960791%22%20target%3D%22_blank%22%3E%40pvanberlo%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20giving%20an%20explanation.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20i%20checked%20the%20behavior%20after%20changing%20Active%20Directory%20%2F%20Domain%20Password%20users%20has%20to%20enter%20New%20Domain%20Password%20and%20MFA%20Screen.%3CBR%20%2F%3E%3CBR%20%2F%3ELets%20assume%20if%20we%20disabled%20MFA%20but%20after%20changing%20Domain%20Password%20We%20have%20to%20enter%20new%20password.%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20we%20eliminate%20the%20whole%20challenging%20password%20screens%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%22I%20just%20realized%20that%20potentially%20you%20could%20try%20and%20see%20if%20Azure%20AD%20Connect%20can%20be%20prevented%20from%20syncing%20the%20last%20password%20change%20time.%20Which%20is%20used%20by%20Azure%20AD%20to%20determine%20if%20it%20needs%20to%20revoke%20refresh%20tokens.%20%22%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20think%20above%20can%20be%20workable%20scenario%20%3F%3CBR%20%2F%3EWill%20Azure%20ADFS%20can%20resolve%20this%20issue%20%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Experts,

 

We are using the Office 365 Business Essentials Service for the last 7 Years.

 

We have the following Setup.

 

  1. Office 365 is connected with Azure AD for Sync User Name and Password of Local Active Directory with Office 365 Azure. (Pass-through Authentication)
  2. We have Domain Controller with Single Forest and Multiple Domain Controller
  3. Users are Configured with Multifactor Authentication

Problem :

 

Some users are not happy when their local AD Password changes after 30 Days (As Per Organizational Policy) the Microsoft Challenges them to re-enter newly change AD Password in some cases and MFA prompt however Microsoft Outlook 2013 (Desktop Version) does not ask to re-enter password the reason could be we had to save Application Password (App Password).

 

Also, One Drive Sync Client also asks for a re-authentication like Microsoft Team

 

Question :

 

Is there any way so we can bypass this password prompt / MFA prompt once a user changes the local AD Password.

 

 

4 Replies
Do you mean only in that particular case and have MFA enabled for any other case?

As soon as the password is reset in local AD, and this information is synced to Azure AD, Azure AD will determine that all active tokens are no longer valid and need to be refreshed. This requires the user to authenticate themselves again. You could decide to disable MFA for specific users, but then MFA is disabled under all circumstances (excluding possible Azure AD CA policies), something I do not recommend and you also do not want.

 

Update: I just realized that potentially you could try and see if Azure AD Connect can be prevented from syncing the last password change time. Which is used by Azure AD to determine if it needs to revoke refresh tokens. Not sure if this attribute can be excluded though. Also still wouldn't recommend it :) 

@pvanberlo

Thanks for giving an explanation.

As i checked the behavior after changing Active Directory / Domain Password users has to enter New Domain Password and MFA Screen.

Lets assume if we disabled MFA but after changing Domain Password We have to enter new password.

Can we eliminate the whole challenging password screens ?

"I just realized that potentially you could try and see if Azure AD Connect can be prevented from syncing the last password change time. Which is used by Azure AD to determine if it needs to revoke refresh tokens. "

Do you think above can be workable scenario ?
Will Azure ADFS can resolve this issue ?
Even when I had one of my domains set to federated, it would revoke refresh tokens when a password was changed and this info was synced back into Azure AD. To be fair, I've not tested it in a while and I primarily work with cloud only identities nowadays eliminating the need to even have a local AD.

If you disabled MFA, you'd still be presented with a screen to sign-in again anyhow.