When a user gets AADSTS50144: InvalidPasswordExpiredOnPremPassword in a hybrid identity setup, it means their on-premises Active Directory password has expired. Azure Entra ID (formerly Azure AD) cannot authenticate with the expired password.
Fix
Method 1: Reset the on-premises password and sync
On a Domain Controller or a machine with RSAT, check the password status:
Get-ADUser -Identity "username" -Properties PasswordLastSet, PasswordExpired | Select Name, PasswordLastSet, PasswordExpiredIf PasswordExpired is True, reset the password:
Set-ADAccountPassword -Identity "username" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewSecurePassword123!" -Force)
Set-ADUser -Identity "username" -ChangePasswordAtLogon $trueForce an immediate delta sync with Azure AD Connect:
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType DeltaWait 5-10 minutes, then have the user sign in with the new password.
If the error persists:
Revoke the user's existing Azure sessions from the Azure AD Connect server:
Connect-MgGraph -Scopes "User.ReadWrite.All"
Revoke-MgUserSignInSession -UserId "user@domain.com"Then, purge the local Kerberos tickets on the user's machine. Run Command Prompt as administrator:
klist purgeIf the error still persists:
Verify the Pass-through Authentication agent is running. On the Azure AD Connect server, open services.msc and restart the Microsoft Azure AD Connect Authentication Agent service.
If using ADFS, check Event Viewer under Applications and Services Logs > AD FS > Admin for WS-Trust failures, typically Event ID 364 or 111.
For end-users without admin access:
Direct the user to the self-service password reset portal: https://aka.ms/sspr. This requires SSPR to be configured for your tenant.
If SSPR is not enabled, an administrator must reset the password using Active Directory Users and Computers: right-click the user, select Reset Password, set a new password, and check User must change password at next logon.
After the password is reset, the user should remove and re-add their work account. Go to Settings > Accounts > Access work or school, select the account, click Disconnect, then Connect and sign in again.
Verification
The user should now be able to sign in. To check sync status:
Get-ADSyncSchedulerConfirm AllowedSyncCycleInterval and NextSyncCyclePolicyType indicate normal operation. On the user's machine, run:
dsregcmd /statusUnder Device State, verify AzureAdJoined: YES and DomainJoined: YES for hybrid-joined devices. The SSO State section should show no errors.
Common mistakes include: resetting the password only in Entra ID (which does not work for federated users), not forcing a sync cycle, or clearing the browser cache instead of purging Kerberos tickets. Always reset the on-premises password first, force a sync, and then clear the client-side authentication cache.