Help

Question about password changes with platform SSO

howie_isaacks
Valued Contributor III

a week ago - last edited a week ago

I am working on deploying platform single sign-on using Microsoft Entra ID. It's working really well. Setup is easy. Password changes are done using the Microsoft password reset site. When we log off the Mac and login again, we can immediately use the new password set in Entra ID. What if a user does not log off their Mac after changing the password? Are there any negative consequences if the user does not log off and login again? I know that after log off and login after the change users will be prompted to re-enable the password sync between the Mac local account and the IdP, and to update Keychain. I have ran through this process myself. Some of our users also have a Windows PC. If they changed their Entra ID password on the Windows PC, their Mac should pickup the password change the same as if they had used the password reset site. They may not log off the Mac and login again after the change. I will do my best to inform them, but there's always someone who doesn't get the message or they will just avoid doing it.

0 Kudos
Reply
2 REPLIES 2

Shyamsundar
Valued Contributor

a week ago

I don't think so any impact, the password will change to the new one once the user logout and login again, until it will be the old one. 

Reply

howie_isaacks
Valued Contributor III
In response to Shyamsundar

a week ago

I actually tested this earlier this morning. I set up a test Mac with PSSO using a test account in Microsoft Entra ID. I confirmed password sync was set up. After PSSO was fully set up, I went to Microsoft's password change site and changed the password to my Entra ID test account. I did not log off the Mac after doing this. To test if the password had taken effect, I opened Terminal and ran "sudo jamf recon", got the prompt for my password, and then used the new Entra ID password. It worked. I also checked Keychain. It remained unlocked. After I did log off and log back in, I did not see the prompt for my previous password in order to sync the password for offline login. This is different from when I first set up my production Mac with PSSO just in time for me to need to change my Entra ID password. I took the time to screenshot and document the steps and all alerts. I'm going to do more testing. I may change my regular (non-test) account password again just to see if the behavior changes. So far, PSSO seems to work very smoothly. I'm just trying to understand all its quirks.

0 Kudos
Reply