cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

unexpected behavior with set-msoluserpassword pertaining to synced identities

Jente Paredis
Copper Contributor

‎Aug 08 2017 06:48 AM - last edited on ‎Jan 14 2022 05:30 PM by

‎Aug 08 2017 06:48 AM - last edited on ‎Jan 14 2022 05:30 PM by

unexpected behavior with set-msoluserpassword pertaining to synced identities

All,

While testing new Office 365 features for a customer of  mine, I came across the following situation, which kind of puzzles me.

 

My test tenant has synchronized users from my Domain Controller.

Password synchronization is enabled. 

Password writeback is not enabled on AAD Connect.

My users are able to sign in and to use O365 services.

 

However, when I use Set-MSOLUserPassword to reset the password of a user that is synchronized from my On-premises Active Directory, the password is reset for Office 365 services.

I would expect the reset password to fail because of the fact the identity is synced from on-premises AD.

 

Can anyone tell me why this password is indeed being reset instead of throwing an error? Because now we end up in the situation that a user has a different password for O365 and for On premises.

 

Kind regards,

Jente Paredis

 

1,663 Views
1 Like
1 Reply
Reply
1 Reply
Vasil Michev

‎Aug 08 2017 11:44 AM

‎Aug 08 2017 11:44 AM

Re: unexpected behavior with set-msoluserpassword pertaining to synced identities

That's actually the expected behavior.

 

An administrator can manually reset your password by using Windows PowerShell.

In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.

If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.

The synchronization of a password has no impact on the Azure user who is signed in. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI extends the duration of this difference. When the cloud service requires you to authenticate again, you need to provide your new password.

 

From the documetnation here: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/connect/active-dir...

1 Like
Reply