Azure AD password change and all that

Here’s what I want to do:

I am creating new accounts on-prem and setting a password. I want the new account user to change their password at first login. Due to the nature of our environment I would prefer they go to Azure AD to set their new password and also register for MFA (rather than RDP to a server for instance and be prompted to change password).

Attempt 1: Graph API passwordProfile

This Graph API property seems to be just what I want! I set a JSON object with the following properties and I can change passwords:

{
  "forceChangePasswordNextSignIn": true,
  "forceChangePasswordNextSignInWithMfa": false,
  "password": "string"
}

{

"forceChangePasswordNextSignIn": true,

"forceChangePasswordNextSignInWithMfa": false,

"password": "string"

}

In terms of permissions when using an Application Registration, the docs say one needs the following:

I wanted to use application permissions as this was going to run via a script, and found that granting the 3 permissions mentioned there did nothing. Then I found a StackOverflow post where someone mentioned that adding the App Registration to the “Password Administrator” role does the trick. I tried that and it worked.

Of course, when I say “it worked” I don’t mean it really worked. :) I did the following:

$passwordProfile = @{
    forceChangePasswordNextSignIn = $true
    forceChangePasswordNextSignInWithMfa = $true
    password = $Password
}

Update-MgUser -UserId ${UserName}${UserDomain} -PasswordProfile $passwordProfile

$passwordProfile = @{

forceChangePasswordNextSignIn = $true

forceChangePasswordNextSignInWithMfa = $true

password = $Password

}

Update-MgUser -UserId ${UserName}${UserDomain} -PasswordProfile $passwordProfile

And Graph politely told me:

Huh!

I tried again, but this time without the two forceChangePassword properties. That worked and I was able to login to Office.com with the password… but it’s a bummer as I was really interested in setting the forceChangePassword properties.

Also, very frustratingly this does not writeback the password to on-prem AD. I waited for about 30 mins but the on-prem password never changed. However, if I were to change the password in the cloud (for example at https://account.activedirectory.windowsazure.com/ChangePassword.aspx) then it does sync back to on-prem.

Attempt 4: Same as above, but slightly different

I actually stumbled upon this later, hence the attempt 4. I realized that the following works:

$passwordProfile = @{
    forceChangePasswordNextSignIn = $true
    password = $Password
}

Update-MgUser -UserId ${UserName}${UserDomain} -PasswordProfile $passwordProfile

$passwordProfile = @{

forceChangePasswordNextSignIn = $true

password = $Password

}

Update-MgUser -UserId ${UserName}${UserDomain} -PasswordProfile $passwordProfile

Notice there’s no forceChangePasswordNextSignInWithMfa. This too does not sync to on-prem AD, but it does force the user to change password upon first login to the cloud… and that of course syncs back to on-prem AD.

In theory all I thus need to do is create a new account in on-prem AD, set a password, wait for it to sync to Azure AD and then run the cmdlet above and set the same password as on-prem AD… this way the user can login on-prem if needed, but the first time they hit the cloud (which they inevitably have to do sooner than later) they will have to change their password and it syncs back to on-prem. Just what I want!

Attempt 2: Graph API resetPassword method

Graph API has a resetPassword method. This isn’t very helpful though as it does not support application permissions, and even in the case of delegated permissions it only accepts certain roles (doesn’t support “Helpdesk Administrators” or “Password Administrators” for instance).

I have no idea whether this will sync back to on-prem AD too. From the docs it sounds like it will:

This flow writes the new password to Azure Active Directory and pushes it to on-premises Active Directory if configured using password writeback. The admin can either provide a new password or have the system generate one. The user is prompted to change their password on their next sign in.

Attempt 3: Azure AD

Azure AD PowerShell cmdlets can work with app registrations so I tried the following:

Connect-AzureAD -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $cert
 
Set-AzureADUserPassword -ForceChangePasswordNextLogin:$true -Password (ConvertTo-SecureString "$Password” -AsPlainText -Force) -ObjectId $userId

Connect-AzureAD -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $cert

Set-AzureADUserPassword -ForceChangePasswordNextLogin:$true -Password (ConvertTo-SecureString "$Password” -AsPlainText -Force) -ObjectId $userId

This too worked… exactly as the Graph API request in attempt 4. It set the password in the cloud and forced a password change upon login to the cloud… but as with the Graph API it didn’t writeback the password I set to on-prem AD. Of course, once the user set a password that synced back.

I don’t understand why the password doesn’t sync back when it’s set via Graph or Azure AD powershell.

I found the following in the docs:

I guess the Azure AD PowerShell could be said to come under the unsupported administration operators (but I am not sure) and thus not supported? Graph API will work via the resetPassword method (which I didn’t try) as that’s the API meant for resetting, while the passwordProfile property updating is something else?

Users changing their password in the cloud comes under the supported scenario so that’s why that works.