Unable to login into Win 10 Azure AD joined device after a PW Change

%3CLINGO-SUB%20id%3D%22lingo-sub-2483370%22%20slang%3D%22en-US%22%3EUnable%20to%20login%20into%20Win%2010%20Azure%20AD%20joined%20device%20after%20a%20PW%20Change%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2483370%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EIssue%3C%2FSTRONG%3E%3A%20Users%20unable%20to%20login%20into%20windows%2010%20azure%20ad%20joined%20device%20if%20the%20On%20Premises%20Active%20Directory%20option%26nbsp%3B%20%22User%20must%20change%20password%20at%20next%20login%22%20is%20checked.%26nbsp%3B%20When%20user%20logs%20into%20Azure%20AD%20Joined%20Win10%20device%2C%20the%20user%20receive%20the%20following%20message%20%22%20User%20name%20or%20password%20incorrect.%20Try%20Again%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20uncheck%20the%20box%20the%20user%2Fs%20able%20to%20login%20into%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LarryJones_0-1624566975444.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291108iEB9E88CE19B04360%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22LarryJones_0-1624566975444.png%22%20alt%3D%22LarryJones_0-1624566975444.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20behavior%20occurs%20when%20changing%20user's%20password%20in%20both%20On%20Premise%20Active%20Directory%20or%20using%20the%20password%20reset%20graph%20end%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20for%20a%20solution%20to%20this%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Larry%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2483370%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2485340%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20login%20into%20Win%2010%20Azure%20AD%20joined%20device%20after%20a%20PW%20Change%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2485340%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20be%20sure...%20There%20are%20no%20Azure%20Ad%20connect%20errors%20and%20it%20has%20synced%20successfully%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2485525%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20login%20into%20Win%2010%20Azure%20AD%20joined%20device%20after%20a%20PW%20Change%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2485525%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20You%20for%20responding%20to%20my%20request.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20On%20Prem.%20AD%20user%20account%20is%20not%20disable.%20Azure%20AD%20Block%20Sign%20In%20is%20%22No%22%3CBR%20%2F%3EThe%20Azure%20Join%20device%20is%20in%20compliance%20in%20Intune.%3CBR%20%2F%3E%3CBR%20%2F%3ERegardless%20if%20the%20password%20been%20changed%20or%20not%20if%20the%20On%20Prem.%20AD%20user%20attribute%20%22User%20must%20change%20password%20at%20next%20login%22%20is%20checked%20users%20can%20not%20log%20into%20the%20Azure%20AD%20Join%20device%3B%20however%2C%20if%20the%20same%20user%20goes%20to%20a%20domain%20join%20device%20their%20able%20to%20log%20in%20and%20change%20password.%20If%20we%20uncheck%20that%20user%20attribute%20%22User%20must%20change%20password%20at%20next%20login%22%20the%20user%20able%20to%20log%20into%20their%20Azure%20AD%20Join%20device.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20organization%3A%20over%20300k%20users%20with%20about%2090k%20Azure%20AD%20Join%20devices%2C%20were%20in%20the%20middle%20of%20migrating%20all%20devices%20from%20domain%20join%20to%20azure%20join.%3CBR%20%2F%3E%3CBR%20%2F%3EWe're%20using%20SSPR%2FMFA%20with%20Azure%20AD%20Connect%20(1%20ver.%20behind)%20with%20PW%20writeback%20enabled.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20You%2C%3CBR%20%2F%3E-Larry%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Issue: Users unable to login into windows 10 azure ad joined device if the On Premises Active Directory option  "User must change password at next login" is checked.  When user logs into Azure AD Joined Win10 device, the user receive the following message " User name or password incorrect. Try Again"

 

When I uncheck the box the user/s able to login into the device.

 

LarryJones_0-1624566975444.png

 

 

This behavior occurs when changing user's password in both On Premise Active Directory or using the password reset graph end point.

 

Looking for a solution to this issue.

 

Thank You,

 

-Larry

4 Replies

Hi,

 

To be sure...

1.There are no Azure Ad connect errors and it has synced successfully?

2. Are you talking about HaaJD or AAJD?

Thank You for responding to my request.

The On Prem. AD user account is not disable. Azure AD Block Sign In is "No"
The Azure Join device is in compliance in Intune.

Regardless if the password been changed or not if the On Prem. AD user attribute "User must change password at next login" is checked users can not log into the Azure AD Join device; however, if the same user goes to a domain join device their able to log in and change password. If we uncheck that user attribute "User must change password at next login" the user able to log into their Azure AD Join device.

My organization: over 300k users with about 90k Azure AD Join devices, were in the middle of migrating all devices from domain join to azure join.

We're using SSPR/MFA with Azure AD Connect (1 ver. behind) with PW writeback enabled.

Thank You,
-Larry

When reading the above correctly... you are skipping the hybrid part and go full cloud. Great :)
I have seen something like this in the past, but this was about some weird password sync issue... maybe it helps your case?

http://blog.cyberadvisors.com/aadconnect-password-sync-issue-resolved

And could you make sure this one is enabled?

On the AD Connect Server, open PowerShell and issue the command Get-ADSyncAADCompanyFeature to check if the ForcePasswordChangeOnLogOn has been set.

WHen the azure ad connect sync is done.. could you check out the users status if it has been updated?

Get-AzureADUser -ObjectID username@domain.com | Select PasswordPolicies, PasswordProfile | fl
Thank You for replying....

As you requested I check the setting for ForcePasswordChangeOnLogOn, its set to false. After doing a little research, setting this attribute to True should resolve my issue. I submitted a change request to set this attribute to True. Once the change is made and if it resolve my issue or not I'll post the results.

Thank you again for pointing me in this direction.

-Larry