O365 - AD Synchronised Users & User must change password at next log on

When creating new users which will not be logging onto domain joined machine and only to the Office 365 portal, there is an important limitation with respect to the “User must change password at next log on” flag. 

When a user is created and they change their password for the first time at the initial logon (to an Active Directory Domain joined machine) the pwdLastSet attribute is updated with the date the password is set. This attribute is replicated to Office 365 via Azure AD Connect.

When you select the “User must change password at next log on” option within the account properties, this clears the pwdLastSet attribute, this cleared attribute is then synchronised to Office 365. 

Once cleared, this invalidates any already issued Office 365 tokens and the user will not be able to logon. Therefore when creating the accounts I would recommend using an random password for each user and asking them to change this and allow password writeback to update AD. Or if enabled they can register for SSPR where they can then change the password on the account.

Note Password writeback and SSPR will only work for accounts with Azure AD Premium licenses assigned. Password writeback must also be enabled with Azure AD Connect.

For a full list of attributes synchronised see - https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized