question

GregThomas-0401 avatar image
0 Votes"
GregThomas-0401 asked JamesHamil-MSFT commented

Users have to change password when connect to AD DS Azure VMs

Hi,

We have a cloud Active Directory DS where Virtual Machines are connected to (entirely in Azure, nothing on premise).

The VMs have been joined to the domain.

We are finding that any user who wants to access these machines, needs to do a password reset the first time.

Why is this the case? We thought this would only be a one-time thing for the admin to join the domain, but now it is every user?

Thank you - Greg.

azure-ad-domain-services
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GregThomas-0401 , are users using Self Service Password Reset? Also, do you have any custom policies? There most likely is a setting that is causing this. Please check this document and see if you're using any of the password policies. If not, please let me know and I can assist you further!

Best,
James


0 Votes 0 ·

Hi James,

Just reading this document - https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization#synchronization-from-azure-ad-to-azure-ad-ds

When a user is created in Azure AD, they're not synchronized to Azure AD DS until they change their password in Azure AD. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The password hashes are needed to successfully authenticate a user in Azure AD DS.

Is there any way to move the user over to AD DS without doing a password change? I.e., a powershell script of some sort?

Thanks - Greg

0 Votes 0 ·

Hi @GregThomas-0401 , Have you looked into password hash sync? This will help you sync the on-premises password with AAD. In order to register a user on ADDS you need to reset the password but hash sync might make it easier for your users to manage their passwords. You can also configure password rules to make the process less painful.

I hope this helps! Please let me know if you have any questions.

Thank you,
James


0 Votes 0 ·

0 Answers