Close Menu
    Wednesday, April 15

    Synchronizing Forced Password Changes from AD to Entra ID for AVD and Cloud PC Access

    Eswar KonetiBy 3 Mins Read Azure Active Directory 18 Views

    Introduction:

    Organizations enabling remote work with BYOD devices often rely on Azure Virtual Desktop (AVD) or Windows 365 Cloud PC. A common onboarding security practice is to create users in on‑premises Active Directory (AD) with the option “User must change password at next logon.”

    However, in hybrid identity setups, this setting can prevent new users from signing in remotely—causing confusion, helpdesk calls, and poor first‑day experience.

    This article explains why the issue occurs, the temporary workaround, and the correct Microsoft‑supported solution, including step‑by‑step configuration guidance.

    The Problem:

    Users created in on‑premises AD with “User must change password at next logon” enabled experience authentication failures when signing in to:

    • Azure Virtual Desktop
    • Windows 365 Cloud PC
    • Windows App
    • Browser‑based AVD sessions

    Error Symptom:

    Instead of being prompted to change passwords, users receive the message: “Your account or password is incorrect”. This happens even when the correct temporary password is entered.

    Why This Happens (Root Cause):

    In hybrid environments:

    • The password change flag exists only in Active Directory
    • Microsoft Entra ID is unaware of this state by default
    • Entra ID rejects authentication instead of prompting a password reset

    This mismatch causes authentication failures when users connect remotely.

    The Old Workaround (Poor User Experience)

    A common workaround included:

    1. Clearing “User must change password at next logon”
    2. Allowing the user to sign in once
    3. Sending users to https://aka.ms/sspr
    4. Asking them to manually reset the password

    This approach is slow, confusing, and not scalable—especially for remote onboarding.

    The Proper Fix (Microsoft‑Recommended)

    Microsoft introduced support to synchronize temporary password state and forced password change from AD to Entra ID.

    Once enabled:

    • Entra ID understands the password is temporary
    • Users are prompted to change the password during sign‑in
    • Works for AVD, Windows 365, browser, and Windows App

    Official documentation: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

    Prerequisites:

    Before enabling, please make sure the following are enabled.

    • Self‑Service Password Reset (SSPR)
    • Password Writeback enabled
    • Password Hash Synchronization in hybrid identity

    Step‑by‑Step Solution:

    Step 1: Connect to Microsoft Graph (run the following steps with global admin account)

    Connect-MgGraph

    Step 2: Check Current Configuration

    Get-MgDirectoryOnPremiseSynchronization | Select-Object -ExpandProperty Features |Format-List UserForcePasswordChangeOnLogonEnabled

    If False, the feature is not enabled.

    Step 3: Reconnect with Write Permissions

    Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"

    Select “Consent on behalf of your organization” when prompted.

    Step 4: Enable Password Change Synchronization

    $OnPremSync = Get-MgDirectoryOnPremiseSynchronization

    $OnPremSync.Features.UserForcePasswordChangeOnLogonEnabled = $true

    Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $OnPremSync.Id -Features $OnPremSync.Features

    Step 5: Confirm the Change

    Get-MgDirectoryOnPremiseSynchronization |Select-Object -ExpandProperty Features |Format-List UserForcePasswordChangeOnLogonEnabled

    Expected output:

    UserForcePasswordChangeOnLogonEnabled : True

    Step 6: Run Azure AD Connect Sync

    Start-ADSyncSyncCycle -PolicyType Delta

    Resulting End‑User Experience

    · User signs in with temporary password

    · Immediately prompted to update password

    · Password written back to AD

    · Corporate MFA policies enforced

    · Works across Windows App and browser

    Key Benefits:

    1. Fixes AVD / Windows 365 incorrect password errors
    2. Seamless first‑time login for remote workers
    3. Eliminates manual SSPR workaround
    4. Fully supported Microsoft solution

    Conclusion:

    If your organization uses hybrid identity with AVD or Cloud PC, enabling UserForcePasswordChangeOnLogonEnabled is essential for secure and frustration‑free onboarding.

    This single configuration change can eliminate one of the most common remote access issues.

    For more information, please read Microsoft Documentation https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#synchronizing-temporary-passwords-and-force-password-change-on-next-logon

    Share.

    Related Posts

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.