Target
Customers who perform user synchronization from HENNGE Access Control to Microsoft 365 using HENNGE Access Control Directory Sync are the target.
Purpose
When HENNGE Access Control Directory Sync is used to synchronize users from HENNGE Access Control to Microsoft 365, users created after federation are frequently prompted to sign in to Microsoft 365-related applications.
This is due to the fact that in a federated environment, HENNGE Access Control Directory Sync cannot set values for the user attributes LastPasswordChangeTimestamp and StsRefreshTokensValidFrom. If these two attributes do not have values set, Microsoft 365 applications confirm that refresh tokens expire in 12 hours.
The steps to resolve this issue are described below.
Notes
1. The content of this article is based on product specifications as of July 2022 and Microsoft 365 specifications and may be subject to change without notice.
2. This procedure uses a Microsoft 365 global administrator account.
3. This article describes a solution using Microsoft's MSOnline PowerShell module. For a solution using the Microsoft Graph PowerShell module, refer to the following article:
Handling frequent sign-in requests in Microsoft 365 applications (Microsoft Graph version)
Detailed Procedure Explanation
1. Pre-check items
1.1. Refer to the following article and connect to Microsoft 365 from the PowerShell application.
How to use PowerShell on a Windows machine
2. Individual user configuration method
2.1. Execute the following command to confirm that values are not set for the two attributes. Enter the UserPrincipalName of the target user for "UserPrincipalName".
get-msoluser -UserPrincipalName "UserPrincipalName" | select-object UserPrincipalName,LastPasswordChangeTimestamp,StsRefreshTokensValidFrom
Example:
For a target user with "user@example.com", the command is as follows:
get-msoluser -UserPrincipalName user@example.com | select-object UserPrincipalName,LastPasswordChangeTimestamp,StsRefreshTokensValidFrom
Example Result:
2.2. Execute the following command to set values for the two attributes. Enter the UserPrincipalName of the target user for "UserPrincipalName".
set-msoluser -UserPrincipalName "UserPrincipalName" -LastPasswordChangeTimestamp ( Get-Date ) -StsRefreshTokensValidFrom ( Get-Date )
Example:
For a target user with "user@example.com", the command is as follows:
set-msoluser -UserPrincipalName user@example.com -LastPasswordChangeTimestamp ( Get-Date ) -StsRefreshTokensValidFrom ( Get-Date )
2.3. Execute the following command to confirm that values are set for the two attributes. Enter the UserPrincipalName of the target user for "UserPrincipalName".
get-msoluser -UserPrincipalName "UserPrincipalName" | select-object UserPrincipalName,LastPasswordChangeTimestamp,StsRefreshTokensValidFrom
Example Result:
For a target user with "user@example.com", the command is as follows:
get-msoluser -UserPrincipalName user@example.com | select-object UserPrincipalName,LastPasswordChangeTimestamp,StsRefreshTokensValidFrom
Example Result:
3. Bulk configuration method
3.1. Download the script SetLastPasswordChangeTimestampTool.ps1 from the bottom of this page and save it to any folder.
3.2. Open the script with a text editor.
3.3. Enter Microsoft 365 global administrator account information on the first and second lines of the script and save it.
Example:
$Office365UPN = "admin@example.onmicrosoft.com";
$Office365Password = "Example1234";
3.4. Launch Windows PowerShell with administrator privileges.
3.5. Execute the following command and navigate to the folder where the script file was saved in step 3.1.
cd <Path to the folder where the file was saved in 2.1.>
3.6. Execute the following command to run the script.
powershell -ExecutionPolicy Bypass -File .\SetLastPasswordChangeTimestampTool.ps1
3.7. The execution log will be output to the log folder under the folder where the script file was saved in step 3.1. Output file name: yyyymmddhhmmss.txt (The execution time will be the filename.)
Example of execution result:
[Successful user]
DisplayName UserPrincipalName LastPasswordChangeTimestamp StsRefreshTokensValidFrom
----------- ----------------- --------------------------- -------------------------
user user@example.com 2022/07/11 13:29:07 2022/07/11 13:29:08
[Failed user]
※ If [Failed user] is not empty, processing has failed due to some issue.
[Successful user] lists users for whom values were set in LastPasswordChangeTimestamp and StsRefreshTokensValidFrom.
[Failed user] lists users for whom the process failed when writing values to LastPasswordChangeTimestamp and StsRefreshTokensValidFrom.
4. Scheduled Execution Method
You can register the script in the Task Scheduler of the Windows OS to run it periodically. In the example below, the script is set to run once a day at 3:00 AM.
On the terminal where the script will run, the settings in the following article should be completed, and PowerShell should be able to connect to Microsoft 365.
How to Use PowerShell on a Windows Machine
4.1. Launch the Task Scheduler of Windows OS, click [Task Scheduler Library] on the left side of the screen, and click [Create Task] on the right side of the screen.
4.2 Set as follows:
Name: SetLastPasswordChangeTimestamp
Description: Set LastPasswordChangeTimestamp attribute for each user on Microsoft 365
[Run with highest privileges]: Check
[Run whether user is logged on or not]: Check
4.3. Click [New...] in the Triggers tab, enter the following settings, and click [OK].
Begin the task: On a schedule
Settings: Daily
Start: 3:00 AM on the start date
Repeat task every: 1 day
4.4. Click [New...] in the Actions tab, enter the following settings, and click [OK].
Action: Start a program
Program/script: %Systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments: -ExecutionPolicy Bypass ".\SetLastPasswordChangeTimestampTool.ps1"
Start in: <Path to the folder where the file was saved in 3.1.>
4.5. Right-click the task created in step 6. in the Task Scheduler, click [Run] to manually execute the task, and confirm that the execution result log file is output to the log folder under the folder where the script file was saved in step 3.1. Output file name:
yyyymmddhhmmss.txt (The execution time will be the filename.)
Reference
・Federated users need to sign in frequently to Azure AD.
・Configurable token lifetimes in the Microsoft Identity Platform (Preview)