Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How to force all users to change password with ADConnect ?

Brass Contributor

Hi,

I have a quick question regarding resetting the password for all users in the company.

I understood that password policy is synced to AAD from the onprem AD.

1) If the password policy is changed (onprem), no expiration date applied, will users be invited to renew the pw on domain join devices ? 

2) I assume policy change will be replicated to AAD, will users that have "AAD join" devices get invited to renew the pw ?

Or else what is generally the proper way to achieve this for all users in the company ?

1 Reply
best response confirmed by Djavan ROA (Brass Contributor)
Solution

Hi,

if you're using Hybrid Identity (e.g. with AzureAD-Connect) the passwords are mainly stored in the OnPrem AD. If you're using PHS the Hashes are synced, if you're using PTA/ADFS they are not synced - but the main password is stored at the user object in AD.

If you set the flag "user must change password at next logon" at the user object in AD the user has to change his password.

Afaik this works on domain joined clients, the ADFS pages and on AAD and AAD-joined Devices (when PW-Writeback is enabled). 

 

To answer your question: Set the flag for your user and test in your environment. After testing set the flag for more users (maybe via PowerShell) or configure a password policy via GPO in your AD which forces the user to change their passwords periodicaly.

1 best response

Accepted Solutions
best response confirmed by Djavan ROA (Brass Contributor)
Solution

Hi,

if you're using Hybrid Identity (e.g. with AzureAD-Connect) the passwords are mainly stored in the OnPrem AD. If you're using PHS the Hashes are synced, if you're using PTA/ADFS they are not synced - but the main password is stored at the user object in AD.

If you set the flag "user must change password at next logon" at the user object in AD the user has to change his password.

Afaik this works on domain joined clients, the ADFS pages and on AAD and AAD-joined Devices (when PW-Writeback is enabled). 

 

To answer your question: Set the flag for your user and test in your environment. After testing set the flag for more users (maybe via PowerShell) or configure a password policy via GPO in your AD which forces the user to change their passwords periodicaly.

View solution in original post