When using Microsoft Azure, federated users are managed by the federated account in CloudGen Access, and the user may have difficulty changing the password in Azure. If running either Set-AzureADUserPassword or Set-MsolUserPassword fails with one of the following errors:
Set-MsolUserPassword : You cannot reset a password for a federated user.
Set-AzureADUserPassword : Error occurred while executing
SetUser Code: Request_BadRequest
For a workaround, you can temporarily change the user’s UserPrincipalName to that of a managed domain, update the password, and then change the UserPrincipalName back to the federated domain.
# Change UPN to managed domain Set-AzureADUser -ObjectId xxxxx -UserPrincipalName user@domain.onmicrosoft.com # Update the password Set-AzureADUserPassword -ObjectId xxxxx # Change UPN back to the federated domain Set-AzureADUser -ObjectId xxxxx -UserPrincipalName user@domain.com
The user will eventually be signed out of the apps they are using, and will have to sign in again. The new password will remain until the user changes their password on-prem in Active Directory, which will then sync across to Azure Active Directory.
For hybrid environments, users can still make changes on the AD that will be sync'ed with Azure.