question

Radje avatar image
0 Votes"
Radje asked amanpreetsingh-msft answered

Multiple domains sync to Azure AD

lets say I have two on-premise domains (DomainA.org, domainB.org) and one tenant (domainA.onmicrosoft.com). Both domains are sync thanks to Azure AD Connect, so user from domainA can log to office.com, there is no problem. Hoever user from domainB getting this "Error validating credentials due to invalid username or password.", and when I changed password from portal.office.com for this user from domainB. I can log with this new password, but only to office365 services, its not sync to On-prem.

And another wierd thing is, that I cant change password for users from domainA.

Do You know where the problem is?

Thanks

azure-active-directoryazure-ad-connectazure-ad-tenant
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

Hi @Radje · Thanks for reaching out.

Checking the "User must change password at next logon" flag on a user object in on-prem Active Directory (AD) may cause this. Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.

Support temporary passwords in Azure AD for synchronized users is not enabled by default and is enabled by running the following command on your Azure AD Connect server:

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered Radje commented

If the domains are being synced to Azure and you want to allow password changes in Azure for on-prem accounts, you need to enable Self Service Password Reset and Password Writeback

Password WriteBack is enabled in AADConnect

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

Note the licensing requirements

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thats not a problem, the problem is Why I have to change password for users from domainB, and for users from domainA are sync to cloud and they can signin with On-premise paswords?

Do I must assign some special licence for domainB users or anything?

0 Votes 0 ·