SOLVED
Home

MS Online Password reset - force change at next logon

%3CLINGO-SUB%20id%3D%22lingo-sub-142100%22%20slang%3D%22en-US%22%3EMS%20Online%20Password%20reset%20-%20force%20change%20at%20next%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142100%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20users%20reset%20their%20password%20through%20the%20sspr%2Fpassword%20reset%20on%20Micorosft%20Online%20i.e.%20recover%20ther%20account%2C%20it%20isthen%20setting%20the%20flag%20in%20on-prem%20AD%20to%20force%20password%20change%20at%20next%20login.%20When%20the%20user%20logs%20in%20again%20to%20Office.com%20(for%20example)%20via%20ADFS%2C%20they%20are%20prompted%20to%20change%20their%20password%20again.%20Its%20then%20set%20correctly.%20How%20can%20I%20prevent%20this%20behaviour%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-142100%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176267%22%20slang%3D%22en-US%22%3ERe%3A%20MS%20Online%20Password%20reset%20-%20force%20change%20at%20next%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176267%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20logged%20a%20ticket%20with%20MS%20in%20the%20end%2C%20it%20was%20fixed%20by%20allowing%20the%20Unexpire%20Password%20permission%20for%20the%20AADC%20service%20account%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147468%22%20slang%3D%22en-US%22%3ERe%3A%20MS%20Online%20Password%20reset%20-%20force%20change%20at%20next%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147468%22%20slang%3D%22en-US%22%3EI%20have%20not%20encountered%20this%20behavior%20before%20and%20have%20not%20been%20able%20to%20find%20it%20as%20a%20configuration%20possibility%2C%20If%20you%20have%20an%20second%20installation%20of%20Azure%20AD%20Connect%20in%20staging%20mode%2C%20try%20and%20switch.%20im%20wondering%20if%20you%20have%20a%20on-premises%20gpo%20resulting%20in%20this%20behavior%20%3F%20how%20long%20has%20this%20been%20going%20on%20%3F%3C%2FLINGO-BODY%3E
Andrew Sparks
Contributor

When users reset their password through the sspr/password reset on Micorosft Online i.e. recover ther account, it isthen setting the flag in on-prem AD to force password change at next login. When the user logs in again to Office.com (for example) via ADFS, they are prompted to change their password again. Its then set correctly. How can I prevent this behaviour?

2 Replies
I have not encountered this behavior before and have not been able to find it as a configuration possibility, If you have an second installation of Azure AD Connect in staging mode, try and switch. im wondering if you have a on-premises gpo resulting in this behavior ? how long has this been going on ?
Solution

We logged a ticket with MS in the end, it was fixed by allowing the Unexpire Password permission for the AADC service account

Related Conversations
Password Generation and Password Reveal are Not working
HotCakeX in Discussions on
5 Replies
Optimize Windows 10 PC reset using the cloud
HotCakeX in Windows Insider Program on
1 Replies
Reporting on Project Online (PWA) Timesheets
Andy Dennis in Project on
3 Replies
Re-request password
Serhii Zahuba in Outlook on
9 Replies