Password sync issues between AD and Entra ID - ‘User must change password at next logon’

Background

You want to reset a user's password in an Entra ID-connected Active Directory environment.

Issue

In Active Directory Users and Computers, you reset a user's password by making sure 'User must change password at next login' is selected.

The password was reset successfully. However, after allowing enough time for the Entra Connect sync, the user cannot authenticate with the new password on M365 and/or the company portal. The error message indicates an incorrect password.

Troubleshooting steps

In the Entra ID admin portal, the password for the same user is reset, enabling successful authentication into web-based services, with the updated password also reflected in Active Directory.

It appeared that the password hash sync only works from Entra to AD, not the other way around.

If the ‘User must change password at next logon’ flag was deselected when the password was reset, it would work across both Entra and AD.

Conclusion

The ‘User must change password at next logon’ flag will not sync with Entra unless the ForcePasswordChangeOnLogOn feature is enabled on the Entra ID tenant (see below).

Implement password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID

If the option ‘User must change password at next logon’ is selected in Active Directory, but that feature is not enabled in Entra ID, password changes will not be synced (see below).

azure-content/articles/active-directory/active-directory-aadconnectsync-implement-password-synchronization.md at master · toddkitta/azure-content

As a workaround, 'User must change password at next logon’ was deselected during password reset until changes were made to the Entra ID tenant.