Troubleshoot delays after the first sign-in following a forced password change

  • Article

This article describes how to troubleshoot a password writeback issue when a user is forced to change their password on first sign-in.

Symptoms

After a user makes a required password change on first sign-in, they receive this warning message:

Your password was successfully updated, but our servers take a little time to catch up. Please try signing in again in a few minutes.

Cause

When a user is forced to change their password on first sign-in in Microsoft Entra ID, the password writeback process accepts the temporary password for sign-in, and the user is prompted to provide a new password. Password writeback tries to change the password on-premises, and then waits. If the on-premises update succeeds, password writeback tries to change the password in Microsoft Entra ID. During a password change operation, password writeback verifies the current password, and then provides the new password to be updated in the respective directory.

However, a timing issue might cause this warning if an attempt to sign in occurs immediately after the on-premises Active Directory password was reset. This issue occurs if the user has the User must change password at next logon option selected, and the domain authentication is configured for Pass-through Authentication (PTA).

In this scenario, the user tries to sign in before password hash synchronization finishes syncing the temporary password to Microsoft Entra ID. But because PTA is configured, the authentication is redirected to on-premises Active Directory. The user can now sign in to Microsoft Entra ID successfully and is then forced to change the password on the first sign-in. If the password change is successful, password writeback updates the new password in on-premises Active Directory and in Microsoft Entra ID. However, the sign-in message says "our servers take a little time to catch up." This is because the temporary password didn't match the current password in Microsoft Entra ID.

Solution

After an Active Directory administrator resets the password on-premises, Microsoft Entra Connect takes at least two minutes to sync that temporary password to Microsoft Entra ID. To avoid receiving this warning message, the user has to wait at least two minutes to sign in and update the password. This provides time for password hash synchronization to sync the temporary password.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.