The scope of this article is to describe the technical steps required to force password changed when being restricted by the minimum password age policy.
- Password writeback setting active on Azure AD Connect server
- AD users are synchronized in AAD using Azure AD Connect server
Check the option Users must change password at next logon
Execute the following PowerShell command to force the password reset for all the users
Set-MsolUserPassword -UserPrincipalName username -ForceChangePasswordOnly $true -ForceChangePassword $true
Users have two options to change the password, on-premises or cloud. They can choose between the two options depending on their constraints.
- If a user changes the password first on-premises – the change is reflected in the cloud, if a user changes the password first in the cloud – the change is reflected on-premises
- After the change, wait 2-5 minutes for these to be correctly replicated
If the user decides to change the password on-premises, the following steps should be followed
- During the first login on the workstation, the user will be asked to change the password
- Once the password is changed, it is replicated to cloud
If the user decides to change the password in the cloud, the procedure is outlined below
- Connects to Office login or Microsoft login
- Adds the username
- Adds the old password
- Specifies the MFA code
- Adds the new password
- Once password is changed, it is replicated to on premises
If you change the password directly in the cloud using the following option – the password will not be replicated even if the operation is successful.