I'm encountering an issue with a user who has their account synced with Active Directory. The user has a flag set to change their password on the next logon, but it's their first time logging into an Azure Active Directory (AAD) joined machine. When they attempt to log in at office.com, the login fails. I've confirmed that Self-Service Password Reset (SSPR) is operational for other users. Currently, the setting "ForcePasswordChangeOnLogOn" is false. Should I change this to true, and is there anything specific that needs to be done to the AD account before making this change? Any help would be appreciated!
3 Answers
Do you have password write-back enabled in your setup? This might be important if the user’s issue is related to password synchronization or changes.
Yes, it is enabled and functioning for the regular users without issues.
Have you checked the sign-in logs for any error messages? That might give you clues about what’s going wrong. It could be related to SSPR or MFA registration processes not being completed. Also, it’s a good idea to see if the device is prompting for MFA or SSPR setup on the first login, as that could be part of the issue.
Exactly! It’s key to find out what’s blocking that initial login.
I think gathering that info will help a lot. Just remember, you’ll need system access to check that. It’s also worth noting that if the user can’t even log into their workstation, changing the "ForcePasswordChangeOnLogOn" setting might be necessary. But does that change impact everyone or just this specific user?