Skip to content

Commit fbdd3e0

Browse files
ktoliverktoliver
authored
Merge pull request #87129 from juntakata/patch-12
Update behavior when user password changed
2 parents c38e345 + 7fe83a6 commit fbdd3e0

File tree

1 file changed

+1
-1
lines changed
  • articles/active-directory/devices

1 file changed

+1
-1
lines changed

articles/active-directory/devices/faq.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -260,7 +260,7 @@ sections:
260260
261261
- question: What happens if a user changes their password and tries to sign in to their Windows 10/11 hybrid Azure AD joined device outside the corporate network?
262262
answer: |
263-
If a password is changed outside the corporate network (for example, by using Azure AD SSPR), then the user sign in with the new password will fail. For hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. When a device does not have line of sight to the domain controller, it is unable to validate the new password. So, user needs to establish connection with the domain controller (either via VPN or being in the corporate network) before they're able to sign in to the device with their new password. Otherwise, they can only sign in with their old password because of cached sign in capability in Windows. However, the old password is invalidated by Azure AD during token requests and hence, prevents single sign-on and fails any device-based Conditional Access policies. This issue doesn't occur if you use Windows Hello for Business.
263+
If a password is changed outside the corporate network (for example, by using Azure AD SSPR), then the user sign in with the new password will fail. For hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. When a device does not have line of sight to the domain controller, it is unable to validate the new password. So, user needs to establish connection with the domain controller (either via VPN or being in the corporate network) before they're able to sign in to the device with their new password. Otherwise, they can only sign in with their old password because of cached sign in capability in Windows. However, the old password is invalidated by Azure AD during token requests and hence, prevents single sign-on and fails any device-based Conditional Access policies until the user authenticates with their new password in an app or browser. This issue doesn't occur if you use Windows Hello for Business.
264264
265265
266266
- name: Azure AD register FAQ

0 commit comments

Comments
 (0)