I've recently transitioned to using Microsoft Entra for joining machines, rather than Active Directory (AD), but my user accounts remain hybrid, linked with ADDS and synced to Entra. We're utilizing the Passthrough Authentication (PTA) method. I encountered a peculiar situation where, after a password reset, a user continued to log in with their old password while facing issues with Single Sign-On (SSO) for on-prem apps and services. I conducted a test on my own machine, only to replicate the problem: even after resetting the password in AD or via the Self-Service Portal, I could still log in using the old credentials. I reached out to Microsoft support, and after some back and forth, I learned this behavior is intended. A machine will keep using the cached password until the user signs in with the new one, with no expiration time set. I even checked a different tenant and saw the same odd behavior. Unlike ADDS, there are no settings available to ensure it validates the credentials whenever online. Am I the only one who thinks this is a bit off, or just stuck in the AD mindset?
2 Answers
Wow, that's a wild situation! I thought the machine would automatically catch the new password once it synced up with AD. So, you're saying it can just let users in with their old password until they try to access something that requires a fresh sign-in? That's definitely a confusing workflow. It might lead to users not realizing their password has changed until they run into issues with other apps.
You've tapped into a pretty significant change from the traditional AD way of doing things. The risk has shifted, and while Microsoft has made some strides in securing access with tokens, it seems they've overlooked the local access aspect. Utilizing tools like BitLocker and Conditional Access can help mitigate this, but that reliance on cached passwords does open up some potential security gaps.
Absolutely, the cached password situation can be risky, especially if a device were stolen. It's a tough call between security and usability. Some users might forget their new password if they log in with the old one first!