unexpected behavior with set-msoluserpassword pertaining to synced identities

Copper Contributor


While testing new Office 365 features for a customer of  mine, I came across the following situation, which kind of puzzles me.


My test tenant has synchronized users from my Domain Controller.

Password synchronization is enabled. 

Password writeback is not enabled on AAD Connect.

My users are able to sign in and to use O365 services.


However, when I use Set-MSOLUserPassword to reset the password of a user that is synchronized from my On-premises Active Directory, the password is reset for Office 365 services.

I would expect the reset password to fail because of the fact the identity is synced from on-premises AD.


Can anyone tell me why this password is indeed being reset instead of throwing an error? Because now we end up in the situation that a user has a different password for O365 and for On premises.


Kind regards,

Jente Paredis


1 Reply

That's actually the expected behavior.


An administrator can manually reset your password by using Windows PowerShell.

In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.

If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.

The synchronization of a password has no impact on the Azure user who is signed in. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI extends the duration of this difference. When the cloud service requires you to authenticate again, you need to provide your new password.


From the documetnation here: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/connect/active-dir...