-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Playbook Reset-AADUserPassword - Password does not sync to On-prem AD #10920
Comments
Hi @curiousbwoy, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 16-08-2024. Thanks! |
Hi @curiousbwoy, Could you check for the required rolls and permission for your account which mentioned into the below readme file: Thanks! |
Hi @v-sudkharat , yes all the roles are assigned to the managed identity of the logic app we performed it for 2 users user 1 - Azure AD user not synced to on-prem AD:- Logic app runs successfully temporary password is assigned and once this temporary password is utilized by user it asks for user to create new password due to "forceChangePasswordNextSignIn: true" user2 - Azure AD user synced to on-prem AD:- logic app runs successfully as shown in above image but the password is not accepted when user tries to signin it says incorrect password |
@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks! |
Authorize Office 365 Outlook connection - is authorization done via API connection or should there be dedicated area to authorize? |
@curiousbwoy how did it go? Similar use case but its delayed i suspect while MDI remediation is immediate. |
@piExpr please can you highlight which connection needs to be authorized |
@v-sudkharat please let us know if were able to simulate the logic app for both scenario |
|
Hi @curiousbwoy, Currently the api is looking for the users in the Entra ID for the Azure cloud and as which users are available those are able to update the password. But when the call is made to api for the users in on prem those users are not found in the directory which results in 204 (not found) user. https://learn.microsoft.com/en-us/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0 please check for the above documents and see if on-premises Active Directory that is synchronized to Microsoft Entra ID. Thanks...!! |
Hi @curiousbwoy, waiting for your response on above comment. Thanks...!! |
Hi @curiousbwoy, |
Hi @v-shukore, I have tried to execute the api shared and used my account to search for the attributes, but the result returned is null |
@curiousbwoy, Thanks for your response. Will check on this issue and will get back to you. Thanks! |
Hi @curiousbwoy, As I can see that we are receiving a 200 OK status, but it is not able to find attributes in the directory. Please check if you have them at the source. Thanks! |
Hi @v-shukore, Thank you for the update, I have tried it on the logic app for my email address and well as other users and I was able to fetch the details please can you guide how will I able to reset the password as the issue still persists |
further summarizing the temporary password generated by logic app is accepted at initial login and MFA is also accepted However, due to flag "forceChangePasswordNextSignIn": true here ideally the current password should be the one generated by logic app, however, it is not updated to onpremise and it gives the error stating this is not your current password |
Hi @curiousbwoy, we are still investigating this issue with team, will get back to you once done. Thanks...!! |
@curiousbwoy did you configured password writeback for those synced users from on-prem |
|
Hi @curiousbwoy, we just want to make sure that you followed the proper documentation please confirm if you have followed below documentation. Thanks!! |
Hi @curiousbwoy, please confirm you have followed above documentation. Thanks!! |
Hi @v-shukore Please find the settings below unable to find the option - (Enable password writeback for SSPR) |
Hi @curiousbwoy, have you attempted to reset the password manually without using the playbook and confirmed if it syncs to the on-premises AD? Checked with the concerned team. It appears that this issue is not occurring for other users. Thanks!! |
Hi @v-shukore, Yes
Both methods successfully synchronized the password with the on-premise Active Directory (AD). |
Hi @curiousbwoy, Thanks for your response will share the update with concern teams and will get back to you. Thanks.!! |
Path: Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword
I have deployed this solution Reset-AADUserPassword through Sentinel alert trigger
The playbook runs sucessfully. However, it resets the password for my test account at Azure cloud and the same password is not getting synced to my on-prem ad, please can you let us know what is the issue here password policy does match with organization requirements
Output status code: 204
The text was updated successfully, but these errors were encountered: