Allow password change only on VPN

Iron Contributor

Hey guys,

currently I'm supporting a customer who got a lot of remote workers which are not often in the office. I realized that there are a lot of password issues. The cloud journey of the customer  just has begun. So there is a hybrid, but Intune is not a topic yet. They have SSPR activated, and the users use different option to change their passwords, either with Ctrl + Alt + Del or directly via MySecurityInfo. Unfortunately this leads to having two passwords, if the clients are not connected to VPN. So a resetted password would effect M365 services and On-Premises infrastructure, but not the password of the local device, because this one would keep the cached device password while not having connection to local AD.


For sure you can solve this with an operational order and just tell the users that they should only change their password while being on VPN, but I would prefer to manage this with a technical solution.

One idea would be to remove the password change feature for Ctrl + Alt + Del (hopefully via GPO) and add a Conditional Access policy which should only allow the SSPR while being on VPN. It's just my personal brainstorming.

Is this feasible, or how would you deal with this, if your device are not directly joined to Entra?


Thanks in advance.


0 Replies