Azure AD Connect does not synchronize the “User must change password at next logon” attribute from your on-premise Active Directory by default forcing users to update their new passwords through Azure Active Directory.
To enable this your directory you have some basic requirements of enabling Password Writeback in your Azure AD Connect Settings. which allows your news password set on Azure AD to sync back to your on-premises Active Directory. As you know enabling Self Service Password Reset (SSPR) will allow the user to reset the password on their own.
On the Azure AD Connect Server, Open PowerShell and run Get-ADSyncAADCompanyFeature to check if the ForcePasswordChangeOnLogOn has been set.
Get-ADSyncAADCompanyFeature | fl
To Enable it, you can use the below command.
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true
There was a flaw in this configuration which is fixed from Azure AD Connect 2.03
“Passwords will now be reevaluated when an expired password is “unexpired”, regardless of whether the password itself is changed. If for a user the password is set to “Must change password at next logon”, and this flag is cleared (thus “unexpiring” the password) then the “unexpired” status and the password hash are synced to Azure AD, and when the user attempts to sign in in Azure AD they can use the unexpired password.”
As you see if you set this flag (change password at next logon ) and un-set this flag. The unexpired password will not be synced to Azure Active Directory before. which is not the case from Azure AD Connect 2.0.3. When you uncheck, the same password is synced and retained in Azure Active Directory. As you know Azure AD Connect 2.0.3 requires Windows Server 2016 or above.
you can follow Upgrading Azure AD Connect to the latest version if you are running an older version.
Thank you for this info, it helps me!