The scope of this article is to describe the technical steps required to force password changed when being restricted by the minimum password age policy.

Requirements

  • Password writeback setting active on Azure AD Connect server
  • AD users are synchronized in AAD using Azure AD Connect server

Technical steps

  • On-premises
    Check the option Users must change password at next logon
  • Cloud
    Execute the following PowerShell command to force the password reset for all the users

    [code language=”shell”]
    Set-MsolUserPassword -UserPrincipalName username -ForceChangePasswordOnly $true -ForceChangePassword $true
    [/code]

User impact

Users have two options to change the password, on-premises or cloud. They can choose between the two options depending on their constraints.

Remarks

  • If a user changes the password first on-premises – the change is reflected in the cloud, if a user changes the password first in the cloud – the change is reflected on-premises
  • After the change, wait 2-5 minutes for these to be correctly replicated

If the user decides to change the password on-premises, the following steps should be followed

  1. During the first login on the workstation, the user will be asked to change the password
  2. Once the password is changed, it is replicated to cloud

If the user decides to change the password in the cloud, the procedure is outlined below

  1. Connects to Office login or Microsoft login
  2. Adds the username
  3. Adds the old password
  4. Specifies the MFA code
  5. Adds the new password
  6. Once password is changed, it is replicated to on premises

Remark

If you change the password directly in the cloud using the following option – the password will not be replicated even if the operation is successful.