QER_Person_Publish_CentralPassword failed to sync with Azure AD

Hello,

In our  Azure Ad synchronisation project , the process QER_Person_Publish_CentralPassword failed for tens of users because of the Azure AD password policy in OIM

I have changed the policy now but i would like to republish centralPassword (for those still having not null one) to Azure Ad for these users 

any way to do this  , i dont want to re invite them to change their password again 

Thank you 

  • What version are you using?

    Do you have the configuration parameter "PermanentStore" enabled for the centralPassword?

  • Hello ,

    Thank you for your answer

    We are using version 8.1.1

    Yes , the parameter  PermanentStore is  enabled 

    Best regards

  • The persons, where the password is still stored, do they only have the Azure AD Account assigned or do they have more than these?

    Are you syncing the password to Person.DialogUserPassword as well?

  • Thank you for your answer

    No they also have Ad accounts and another account to which the password is published

    I did not  know  about the column DialogUserPassword. 

    After checking, yes this column is filled for all those users but with a different value than

    CentralPassword  (encrypted values are différent)

    Best regards

  • Yes, the values in DialogUserPassword are different because it is hashed not encrypted. The configuration parameter QER\Person\UseCentralPassword\SyncToSystemPassword controls if the DialogUserPassword should be updated by changes of the central password.

    Back to your question.

    To change only the Azure AD passwords from the stored central password, you would need to create a copy of the process QER_Person_Publish_CentralPassword.

    Then modify

    • the events of the process and configure it to use a custom event, for example ResetPassword.
    • the generation condition of the process and remove the part of the condition that checks for a changed CentralPassword

    Then create a copy of the script QER_Publish_CentralPassword and modify it, so that only the Azure AD accounts are affected if you trigger your process and use this in the process step "Publish password to all accounts" of your process copy.

    When all this has been done and compiled you can trigger the custom event for all of your affected persons.

    And please keep in mind that the configuration parameter QER | Person | UseCentralPassword | PermanentStore will not be supported the future and will be deleted according to the release notes of 8.1.1.

    HtH

  • Thank you so much Markus for your replay

    I'll give this a try.

    Best regards,