Update how-to-connect-password-hash-synchronization.md

NuAlex · web-flow · commit 7b9de7a05080 · 2023-02-24T11:04:51.000-08:00
Adding one more note in "Force Password Change on Next Logon" to clarify new user creation scenario (customer escalation - Incident 369792222)
diff --git a/articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md b/articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md
@@ -147,6 +147,8 @@ To support temporary passwords in Azure AD for synchronized users, you can enabl
 > Forcing a user to change their password on next logon requires a password change at the same time.  Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.
 > 
 > If the user has the option "Password never expires" set in Active Directory (AD), the force password change flag will not be set in Active Directory (AD), so the user will not be prompted to change the password during the next sign-in.
+>
+> A new user created in Active Directory with "User must change password at next logon" flag will always be provisioned in Azure AD with a password policy to "Force change password on next sign-in", irrespective of the *ForcePasswordChangeOnLogOn* feature being true or false. This is an Azure AD internal logic since the new user is provisioned without a password, whereas *ForcePasswordChangeOnLogOn* feature only affects admin password reset scenarios.
 
 > [!CAUTION]
 > You should only use this feature when SSPR and Password Writeback are enabled on the tenant.  This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.

Original file line number	Diff line number	Diff line change
`@@ -147,6 +147,8 @@ To support temporary passwords in Azure AD for synchronized users, you can enabl`
`147`	`147`	`> Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.`
`148`	`148`	`>`
`149`	`149`	`> If the user has the option "Password never expires" set in Active Directory (AD), the force password change flag will not be set in Active Directory (AD), so the user will not be prompted to change the password during the next sign-in.`
	`150`	`+>`
	`151`	`+> A new user created in Active Directory with "User must change password at next logon" flag will always be provisioned in Azure AD with a password policy to "Force change password on next sign-in", irrespective of the ForcePasswordChangeOnLogOn feature being true or false. This is an Azure AD internal logic since the new user is provisioned without a password, whereas ForcePasswordChangeOnLogOn feature only affects admin password reset scenarios.`
`150`	`152`
`151`	`153`	`> [!CAUTION]`
`152`	`154`	`> You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.`