The scope of this article is to describe the technical steps required to force password changed when being restricted by the minimum password age policy.
Requirements
- Password writeback setting active on Azure AD Connect server
- AD users are synchronized in AAD using Azure AD Connect server
Technical steps
- On-premises
Check the option Users must change password at next logon
- Cloud
Execute the following PowerShell command to force the password reset for all the users12Set-MsolUserPassword -UserPrincipalName username -ForceChangePasswordOnly $
true
-ForceChangePassword $
true
User impact
Users have two options to change the password, on-premises or cloud. They can choose between the two options depending on their constraints.
Remarks
- If a user changes the password first on-premises – the change is reflected in the cloud, if a user changes the password first in the cloud – the change is reflected on-premises
- After the change, wait 2-5 minutes for these to be correctly replicated
If the user decides to change the password on-premises, the following steps should be followed
- During the first login on the workstation, the user will be asked to change the password
- Once the password is changed, it is replicated to cloud
If the user decides to change the password in the cloud, the procedure is outlined below
- Connects to Office login or Microsoft login
- Adds the username
- Adds the old password
- Specifies the MFA code
- Adds the new password
- Once password is changed, it is replicated to on premises
Remark
If you change the password directly in the cloud using the following option – the password will not be replicated even if the operation is successful.