I am attempting to roll out the SSPR feature (using AAD Connect) in our environment. Password writeback works (as in the user can initiate a password change from Office 365 by clicking Settings > Reset Password).
However, newly created users that have "User must change password at next sign on" checked in AD, receive "Your password has expired. Type your updated password and try again" instead of being prompted to change the password when signing into 365.
I have set the following permissions for the AAD Connect account in the root OU of our domain:
Write Permissions on lockouttime
Write Permissions on pwdLastSet
Extended rights for "Unexpire password"
In addition to this, I have updated to the latest version of AAD Connect and disabled/enabled the writeback feature.
I did notice that the "Unexpire password" permission does not seem to inherit on the child OUs. Is there something else I am missing?