I'm dealing with a situation where a newly synced Active Directory user has the flag set to change their password at the next logon, but they're trying to log in to an Azure Active Directory (AAD) joined machine for the first time. They're attempting to access Office.com, but it's failing. We have Self-Service Password Reset (SSPR) configured and it works for other users. The setting for "ForcePasswordChangeOnLogOn" is currently set to false. Should I change this to true, and do we need to configure anything on the AD account before making that adjustment?
4 Answers
Yes, password write-back is enabled and it works fine for regular users.
Just to follow up, do you have password write-back enabled? That could affect whether the password change process works for this user.
I got some additional details. The user actually can't log into their AAD joined workstation at all. Do you think changing the "ForcePasswordChangeOnLogOn" setting will resolve this? And will it force a password change for all users or just new ones?
Have you checked the sign-in logs for any specific failure reasons? It could be related to SSPR and whether MFA registration is complete for the user. Knowing that info could really help narrow down the issue.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures