cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Password Expiry/Reset

JamesCumberton
Copper Contributor

‎Jan 06 2021 04:17 PM - last edited on ‎Feb 06 2023 03:57 AM by

‎Jan 06 2021 04:17 PM - last edited on ‎Feb 06 2023 03:57 AM by

Password Expiry/Reset

Is it possible to have when a user's password expires it logs that user out so they are forced to reset it. Currently the notification appears for the user but they only have to reset it when they log out and log back in. 

 

I know there is a way to manually sign user's out but I wonder if this can be done automatically on expiration of password.

Labels:
3,268 Views
0 Likes
6 Replies
Reply
6 Replies
Vasil Michev

‎Jan 07 2021 12:33 AM

‎Jan 07 2021 12:33 AM

Re: Password Expiry/Reset

Session validity is enforced by token validity, not directly by passwords. Password change/expiration will cause the refresh token to expire, but the user can still retain access for the validity of the access token, and we have no way to revoke those. It also depends on the account type, the service used, etc.

 

TL;DR  if you want thing to happen as fast as possible, best initiate the sign out.

1 Like
Reply
best response confirmed by JamesCumberton (Copper Contributor)
boneyfrancis

‎Jan 07 2021 08:33 AM

‎Jan 07 2021 08:33 AM

Solution

Re: Password Expiry/Reset

Hi @JamesCumberton,

 

Technically, you can. In our organization we wanted to force sign-out users when their accounts get disabled or passwords are reset/changed, and so instead of waiting for the Azure refresh token to expire we solved the situation by running the following cmdlet when that action occurs:

  Set-MsolUser -UserPrincipalName $User -StsRefreshTokensValidFrom (get-date)
 
The key is, you'll need an interceptor to trigger this action when the condition occurs. If your domain is federated, it's your your on-premise AD should have a interceptor that can catch when password change/password expiry/account disable happens, and then execute the MSOL cmdlet to revoke the Azure token (or like how we have done, place the script in an Azure runbook, create a webhook, and have the AD interceptor call the Webhook and pass the username).
1 Like
Reply
producerreid20

‎Dec 07 2022 07:45 AM

‎Dec 07 2022 07:45 AM

Re: Password Expiry/Reset

if someone u trust to make Microsoft account for u changes your outlook password and administration password and u only can use the local guess account what to do?
0 Likes
Reply
whitephnx2

‎Oct 23 2023 07:30 AM

‎Oct 23 2023 07:30 AM

Re: Password Expiry/Reset

@boneyfrancis 

 

What interceptor are you referring to? I have ticket open with microsoft and they are telling me this can't be done and have no idea what you are referring to. 

0 Likes
Reply
boneyfrancis

‎Oct 23 2023 08:15 AM

‎Oct 23 2023 08:15 AM

Re: Password Expiry/Reset

@whitephnx2 The interceptor we use is MIM, but it can be anything. If you have an email notification whenever the password is reset, you can create a rule to Bcc a copy of that notification to a shared mailbox, and have Power Automate (for instance) revoke the token when a notification mail arrives.

0 Likes
Reply
Kidd_Ip

‎Oct 23 2023 05:28 PM

‎Oct 23 2023 05:28 PM

Re: Password Expiry/Reset

@JamesCumberton 

 

Yes, agree, technically we can

0 Likes
Reply