Azure AD Synchronized Users with Password Sync are unable to change password

Hi,

Our AD connect syncs on-premises AD account passwords to Office 365.  

I go to my AD and reset password for a user and check "user must change password at next logon".  

The user logins, enter the password I give him and enter his own password.  He is getting this error:

Your organization doesn't allow you to update your password on this site. Please update it according to the method recommended by your organization, or ask your admin if you need help.

I am reading this link but dont quite get it: http://www.edutech.me.uk/microsoft/identity-and-access-management/authentication/azure-ad-synchronized-users-with-password-sync-are-unable-to-change-password/

Please advise what I need to do to allow the user to check his password.

Thanks.
nav2567Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSenior Systems AdminCommented:
Unless you have Azure AD Premium and Password Write-back enabled, you can't reset passwords for synchronized accounts in any part of Azure or O365, even if the user is set to change the password after login. They have to log in to a Domain-joined computer, reset their password, wait for the password sync to occur following their reset, then log in.

If, however, your accounts had been created in O365 (and not synced), the password reset option would function normally. Ditto for if you have Azure AD Premium licenses assigned to the users and have configured Azure AD to allow password resets in the cloud (it's actually a really confusing and complex process).

As a side note, I think it's pretty stupid that MS charges $4 per user (or whatever) for Azure AD Premium just to allow people to change their own passwords in the cloud, but that's where they're going with it, and there isn't anything we can do about it. Unless you want to fork over more money for the feature, you'll have to manage passwords in AD only.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nav2567Author Commented:
Adam, thank you, thank you!!!
nav2567Author Commented:
Adam, thank you, thank you!!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Azure

From novice to tech pro — start learning today.