EnforceChangePasswordPolicy in New-AzureADUser and Set-AzureADUserPassword

This post explains what EnforceChangePasswordPolicy does when used as an attribute in a PasswordProfile parameter in New-AzureADUser, or Set-AzureADUserPassword:

Set-AzureADUserPassword -EnforceChangePasswordPolicy

Documentation

The New-AzureADUser documentation says EnforceChangePasswordPolicy is "a boolean indicating that the change password policy is enabled or disabled for this user".

The Set-AzureADUserPassword documentation says "If set to true, force the user to change their password".


Explanation

When I set EnforceChangePasswordPolicy to False for a particular Azure AD User, I can logon as that User with just a username and password.

If I set EnforceChangePasswordPolicy to True, that User is prompted for more information, even if they are already logged on:

More information required popup screenshot

After pressing Next, that User is then forced to perform an additional security verification, either using a phone or app:
Additional security verification screenshot

Comments

Popular posts from this blog

LG TV This app will now restart to free up more memory

LG TV Clear All Browsing History Data

Excel Import CSV not using "Use First Row as Headers"