Aug 11 2019
05:17 AM
- last edited on
Jan 14 2022
04:37 PM
by
TechCommunityAP
Aug 11 2019
05:17 AM
- last edited on
Jan 14 2022
04:37 PM
by
TechCommunityAP
The last weeks we experience issue with users changing passwords.
User are created on premise in the Active Directory and synced with Azure AD connect (where are still running version 1.2.70.0). New users get a temporary password which they have to change on first logon.
Our users get devices which are setup through autopilot. They get prompted to change the password but when they do they get a message that the password is changed but that servers have process this change, resulting in issue that user cannot continue to setup the device. As a work around we tell them to turn of the device. They then can continue through the autopilot process because the password is already changed.
We use PTA and PHS still enabled. We moved form ADFS with PHS in June this year to PTA. We didn't have this error the first month after this change.
The error we see in the audit logs is OnPremisesSuccessCloudFailure.
So it seems there is some kind of delay after password is changed on premise.
I cannot anything on this particular error
Aug 12 2019 03:48 AM
1. Update your Azure AD Connect.
2. How are you users changing Password and where ?
the Only way to update your passwords for users is to give them SSPR ( Self Service Password Reset/Change) which does change there password in Cloud ( Azure AD) and not On-premise. It is over write by password coming in from Local AD via Azure AD COnnect Sync every 30 minutes. If you configure Password Write Bacl(Additional Licensing Cost - pRemium Azure AD License needed for that P1/P2) then you can write back password from Azure AD to your Local AD as well.
Both ways you have to (Mandate) upgrade your Azure AD Connect Version :)
The following prerequisites are required to migrate from using AD FS to using pass-through authentication.
To successfully complete the steps it takes to migrate to using pass-through authentication, you must have Azure Active Directory Connect (Azure AD Connect) 1.1.819.0 or a later version. In Azure AD Connect 1.1.819.0, the way sign-in conversion is performed changes significantly. The overall time to migrate from AD FS to cloud authentication in this version is reduced from potentially hours to minutes.
As a minimum to successfully perform the steps to migrate to password hash synchronization, you should have Azure AD connect 1.1.819.0. This version contains significant changes to the way sign-in conversion is performed and reduces the overall time to migrate from Federation to Cloud Authentication from potentially hours to minutes.
Update your Azure AD Connect and you should be all fixed :)
Cheers !
Ankit Shukla
Aug 12 2019 01:03 PM - edited Aug 12 2019 01:04 PM
Why do you think upgrading Azure AD connect will fix the problem? As i mentioned our version of Azure AD connect is. 1.2.70.0 which is a higher version 1.1.819.0.
Nov 05 2021 12:51 AM
Did you manage to solve this problem? We've just started implementing the same steps and we're seeing the same problems (two years later). Thanks in advance.
Nov 05 2021 01:35 AM
I'm sorry, I've should have looked further.
his error seems to happen when you set "User must change password at next logon" at account creation. If you let it sync first, and then set the flag in AD, it will sync and work. Thanks to SamTribe .