question

MatthewShannon-1354 avatar image
0 Votes"
MatthewShannon-1354 asked JamesHamil-MSFT commented

Unexpire Password not working for password writeback

Hello.

I am attempting to roll out the SSPR feature (using AAD Connect) in our environment. Password writeback works (as in the user can initiate a password change from Office 365 by clicking Settings > Reset Password).

However, newly created users that have "User must change password at next sign on" checked in AD, receive "Your password has expired. Type your updated password and try again" instead of being prompted to change the password when signing into 365.

I have set the following permissions for the AAD Connect account in the root OU of our domain:

Reset Password
Write Permissions on lockouttime
Write Permissions on pwdLastSet
Extended rights for "Unexpire password"

In addition to this, I have updated to the latest version of AAD Connect and disabled/enabled the writeback feature.

I did notice that the "Unexpire password" permission does not seem to inherit on the child OUs. Is there something else I am missing?




azure-ad-password-hash-sync
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

1 Vote 1 ·

Hi @MatthewShannon-1354 , so sorry for the delay in response. I'll expedite this for you. What happens if the user updates their password? Does it still send the same message? We may have to open a support ticket for you in this case. Also, what documents are you following for this? I'll try to reproduce the bug.

Best,
James

0 Votes 0 ·

Sorry for the late response.

If the user logs in and initiates the password change themselves, they are able to change the password and it successfully writes back to on prem AD.

If the "User Must Change Password at next logon" box is checked in AD, the user is unable to login and receives the error message.

I have followed these documents:

Microsoft Documentation:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

Non-Microsoft:

1https://blog.naglis.no/?p=3923

0 Votes 0 ·
JamesHamil-MSFT avatar image JamesHamil-MSFT MatthewShannon-1354 ·

Hi @MatthewShannon-1354 , I've reached out to the product team and should hear back soon!

Best,
James

0 Votes 0 ·

0 Answers