<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi everyone,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Okay, I think I was able to solve this issue by myself.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
There seems to be a problem in Evolveum MS Graph API connector. When updating user, the connector executes attributes one by one, because Microsoft Graph does not support SharePoint and Azure AD attributes in one JSONObject.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
However this causes problems when changing password and provisioning the forceChangePasswordNextSignIn attribute, which I guess Azure AD wants to be in one JSON object.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
So I was able to overcome this issue by modifying the connector and provisioning attributes as a single JSON object when password is changed.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Best regards,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Jussi Jokela<br>
</div>
<div>
<div id="Signature">
<div>
<p></p>
<p></p>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> midPoint <midpoint-bounces@lists.evolveum.com> on behalf of Marc Fueller via midPoint <midpoint@lists.evolveum.com><br>
<b>Sent:</b> Monday, January 3, 2022 14:01<br>
<b>To:</b> Jussi Jokela via midPoint <midpoint@lists.evolveum.com><br>
<b>Cc:</b> Marc Fueller <marc.fueller@daasi.de><br>
<b>Subject:</b> Re: [midPoint] Changing user password in Azure AD with Microsoft Graph API connector</font>
<div> </div>
</div>
<div>
<p>Hi Jussi,</p>
<p><br>
</p>
<p>this behavior could be caused by a policy on Azure AD that is setting the flag for "must change password at next logon" in UserAccountControl whenever the password is changed.</p>
<p><br>
</p>
<p>Best regards,</p>
<p>Marc</p>
<p><br>
</p>
<p><br>
</p>
<div class="x_moz-cite-prefix">Am 03.01.22 um 12:37 schrieb Jussi Jokela via midPoint:<br>
</div>
<blockquote type="cite"><style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi everyone,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Anyone having some ideas for this? Currently a blocker for me.<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Best regards,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Jussi Jokela<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> midPoint
<a class="x_moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com">
<midpoint-bounces@lists.evolveum.com></a> on behalf of Jussi Jokela via midPoint <a class="x_moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com">
<midpoint@lists.evolveum.com></a><br>
<b>Sent:</b> Friday, December 31, 2021 11:32<br>
<b>To:</b> <a class="x_moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">
midpoint@lists.evolveum.com</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com">
<midpoint@lists.evolveum.com></a><br>
<b>Cc:</b> Jussi Jokela <a class="x_moz-txt-link-rfc2396E" href="mailto:jussi.jokela@fiarone.com">
<jussi.jokela@fiarone.com></a><br>
<b>Subject:</b> [midPoint] Changing user password in Azure AD with Microsoft Graph API connector</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi everyone,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I'm having some difficulties with Azure AD and MS Graph API connector (1.0.0.1-SNAPSHOT).</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
When I'm changing users password in midpoint, Azure still wants that user to change password in next login to Azure (password expired or first login error). I'm also mapping the passwordProfile.forceChangePasswordNextSignIn = false, but looks like this has
no effect? Anyone else having same problems?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Weird thing is, when I'm creating a new user in midpoint and this user is also provisioned to Azure AD, this user can sign in without forced password change.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Best regards,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Jussi Jokela<br>
</div>
</div>
<br>
<fieldset class="x_mimeAttachmentHeader"></fieldset>
<pre class="x_moz-quote-pre">_______________________________________________
midPoint mailing list
<a class="x_moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="x_moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="x_moz-signature" cols="72">--
Marc Füller
Consultant
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: <a class="x_moz-txt-link-abbreviated" href="mailto:marc.fueller@daasi.de">marc.fueller@daasi.de</a>
web: <a class="x_moz-txt-link-abbreviated" href="http://www.daasi.de">www.daasi.de</a>
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz</pre>
</div>
</body>
</html>