Force Password Change at Next Sign-in for Entra Connect Synchronized Identities

Last updated on March 1st, 2024 at 01:51 am

Here’s a quick tip if you’re using Microsoft Entra Connect (Azure AD Connect) to sync your user identities, and you need to enforce a password change for users at the next logon. This can be useful if your user identities are all synced from AD but you have a mixed bag of devices with PCs that are domain-joined, Hybrid Joined, Entra Joined, and BYOD devices. We’re assuming you’re using password hash sync, and that you’ve already properly enabled password writeback (Enable Microsoft Entra password writeback – Microsoft Entra | Microsoft Learn). This will allow identities that authenticate to Entra to change their password in the cloud and have it written back to Active Directory.  

We’re probably all familiar with the account setting in AD to force a password change at next logon, which does exactly what it says. Note that if you have accounts set to never expire the password or where the user cannot change password, those will override this setting. Also, if you need to do this for multiple users, or even an entire OU, you can set this for an OU or by multi-selecting users: 

However, by default, AD connect doesn’t sync the change password at next login flag. So, that box will only end up applying to users with domain-joined or hybrid-joined devices with line-of-sight to a DC. We can see that Entra Connect won’t sync this setting by opening powershell and issuing the Get-ADSyncAADCompanyFeature command, and we will see ForcePasswordChangeOnLogOn is set to false: 

Change that value to True  using Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true and then run a delta sync: 

After the sync is complete, the next time users try signing into M365, they’ll be prompted to change their password just like the users who are authenticating to AD directly: 

And after changing the password, you’ll notice the box is cleared in AD for that user to change password at next logon.  

Script to require users to change password at next logon

If you’re doing this in bulk for all users, its easily accomplished using the GUI as we previously mentioned. However, if you wanted to do this for some users across the domain, this script can help do that for you. The only pre-requisite is that you export the samaccountname for the users to a CSV. For example, maybe you want to do this for all users who have not changed their password before a certain date. Whatever the case may be, you can identify your users with the criteria you want and export the samaccountname to a CSV. Point this script at the CSV, and it will require those users change their password at next logon.

Start-Transcript -path c:\temp\ChangePasswordAtNextLogon.log -force
$users = Import-CSV C:\path to your.csv
foreach ($user in $users) {
Try {
write-host -ForegroundColor Yellow "Trying to require password change at next logon for"$user.samaccountname""
set-aduser $user.samaccountname -ChangePasswordAtLogon:$true
Write-host -ForegroundColor Green "Successfully set "$user.samaccountname" to change password at next logon"
}
Catch {
Write-Host -ForegroundColor Red "Unable to require password change at next logon for "$user.samaccountname""
Write-Host -ForegroundColor Red $_
}
}
Stop-Transcript

Troubleshooting if this isn’t working

I’m updating this blog since a client recently tried to perform this and had some issues getting it working. There are some things to be aware of, one of which is that this change may not take effect immediately. In almost every situation where I did this, the change takes effect within a few minutes. However, it took almost two hours. I’m not sure if there were some Microsoft Service issues, but checking the below items can ensure that everything is working properly.

Is there anything to check on the Entra Side of the configuration?

After running the command Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true to modify AD Connect, shortly after, the Entra side will also update a value. This should match the Entra connect configuration. You can check the Entra side with powershell:

connect-msolservice
Get-MsolDirSyncFeatures

You’ll get results like this, and the value for EnableUserForcePasswordChangeOnLogon should be True.

Do I check the box to require password change before or after modifying Entra Connect?

Entra connect will not pick up if a user is required to change password at next logon if the box is already checked before you run Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true. If any users already had the box checked before running that PowerShell command, you need to clear it, run a delta sync, then re-check the box to require password change at next logon, then run another delta sync. See Microsoft documentation here – Implement password hash synchronization with Microsoft Entra Connect Sync – Microsoft Entra ID | Microsoft Learn

What can I check on the AD Connect server to make sure Entra Connect is looking for the change password flag?

The event log is where you want to look. Specifically, the application event log. If all is working properly, when a user is required to change their password at next logon, the next delta sync will log Event ID 657 with the source of Directory Synchronization. It should show “PwdChangeOnLogon=True”

What is changed on the Entra side for users after the sync?

The user password profile property will be modified in Entra. You can see this through graph explorer by using GET https://graph.microsoft.com/beta/users/{USERID}. If everything is working properly, the user will have “ForceChangePasswordNextSignIn” set to true under the password policy. Otherwise, the value will be null.