cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to login into Win 10 Azure AD joined device after a PW Change

Larry Jones
Iron Contributor

‎Jun 24 2021 01:43 PM - edited ‎Jun 24 2021 01:52 PM

‎Jun 24 2021 01:43 PM - edited ‎Jun 24 2021 01:52 PM

Unable to login into Win 10 Azure AD joined device after a PW Change

Issue: Users unable to login into windows 10 azure ad joined device if the On Premises Active Directory option  "User must change password at next login" is checked.  When user logs into Azure AD Joined Win10 device, the user receive the following message " User name or password incorrect. Try Again"

 

When I uncheck the box the user/s able to login into the device.

 

LarryJones_0-1624566975444.png

 

 

This behavior occurs when changing user's password in both On Premise Active Directory or using the password reset graph end point.

 

Looking for a solution to this issue.

 

Thank You,

 

-Larry

Labels:
12.8K Views
0 Likes
6 Replies
Reply
6 Replies
Rudy_Ooms_MVP

‎Jun 25 2021 06:28 AM - edited ‎Jun 25 2021 06:46 AM

‎Jun 25 2021 06:28 AM - edited ‎Jun 25 2021 06:46 AM

Re: Unable to login into Win 10 Azure AD joined device after a PW Change

Hi,

 

To be sure...

1.There are no Azure Ad connect errors and it has synced successfully?

2. Are you talking about HaaJD or AAJD?

0 Likes
Reply
Larry Jones

‎Jun 25 2021 06:56 AM - edited ‎Jun 25 2021 06:59 AM

‎Jun 25 2021 06:56 AM - edited ‎Jun 25 2021 06:59 AM

Re: Unable to login into Win 10 Azure AD joined device after a PW Change

Thank You for responding to my request.

The On Prem. AD user account is not disable. Azure AD Block Sign In is "No"
The Azure Join device is in compliance in Intune.

Regardless if the password been changed or not if the On Prem. AD user attribute "User must change password at next login" is checked users can not log into the Azure AD Join device; however, if the same user goes to a domain join device their able to log in and change password. If we uncheck that user attribute "User must change password at next login" the user able to log into their Azure AD Join device.

My organization: over 300k users with about 90k Azure AD Join devices, were in the middle of migrating all devices from domain join to azure join.

We're using SSPR/MFA with Azure AD Connect (1 ver. behind) with PW writeback enabled.

Thank You,
-Larry

0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 27 2021 12:32 AM

‎Jun 27 2021 12:32 AM

Re: Unable to login into Win 10 Azure AD joined device after a PW Change

When reading the above correctly... you are skipping the hybrid part and go full cloud. Great :)
I have seen something like this in the past, but this was about some weird password sync issue... maybe it helps your case?

http://blog.cyberadvisors.com/aadconnect-password-sync-issue-resolved

And could you make sure this one is enabled?

On the AD Connect Server, open PowerShell and issue the command Get-ADSyncAADCompanyFeature to check if the ForcePasswordChangeOnLogOn has been set.

WHen the azure ad connect sync is done.. could you check out the users status if it has been updated?

Get-AzureADUser -ObjectID username@domain.com | Select PasswordPolicies, PasswordProfile | fl
0 Likes
Reply
Larry Jones

‎Jun 29 2021 05:10 AM

‎Jun 29 2021 05:10 AM

Re: Unable to login into Win 10 Azure AD joined device after a PW Change

Thank You for replying....

As you requested I check the setting for ForcePasswordChangeOnLogOn, its set to false. After doing a little research, setting this attribute to True should resolve my issue. I submitted a change request to set this attribute to True. Once the change is made and if it resolve my issue or not I'll post the results.

Thank you again for pointing me in this direction.

-Larry
0 Likes
Reply
Berri1015

‎Oct 21 2022 01:48 AM - edited ‎Oct 21 2022 01:51 AM

‎Oct 21 2022 01:48 AM - edited ‎Oct 21 2022 01:51 AM

Re: Unable to login into Win 10 Azure AD joined device after a PW Change

Larry Jones

Hello Larry, 
Were you able to solve your problem? If so what solution did you use. 
I am having almost the same problem.
We have 200 users with computers in azure joined. Self-service password is enabled.
 Azure AD Connet is also used.
When the user's password expires when they change the password from 
self-service password, the change is OK but the computer does not take 
the new password into account. 
He is forced to authenticate with the old password to log on to his computer
 while Office 365 applications authenticate with the new password. 
We looked at the log files, we don't see any errors.

 

0 Likes
Reply
Larry Jones

‎Oct 26 2022 07:51 AM

‎Oct 26 2022 07:51 AM

Re: Unable to login into Win 10 Azure AD joined device after a PW Change

Here's the article the resolved my issues.

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true <------ This fix the issue when the box is checked change password at next login in AD

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchro...
1 Like
Reply