Tags

AD Premium, AD Premium configuration, ADSync installation with AD Premium

Microsoft TechNet blog, MStechtalk Part 4, MSTECHTALK PART3, MSTECHTALK PART5,MSTECHTALK PART 1,MSTECHTALK PART 2

If you want to install it on existing Dir Sync server. first you uninstall this application and install it.

Uninstallation Procedure

Uninstall DirSync in Control Panel.

Click Start > Control Panel > Uninstall a program.

Find DirSync and then right click on it > click Uninstall to uninstall the program.

Close DirSync and its associated program.

Delete files and folders created by DirSync

Reboot the server

Download the latest AADSync from http://www.microsoft.com/en-us/download/details.aspx?id=44225

Installation Requirements

The objective of this section is to list the requirements that need to be fulfilled to install Azure AD Sync in your environment.
Azure AD Sync enables you to integrate your on-premises Active Directory Domain Service with your Azure AD directory.
As a consequence of this, you need access to your on-premises Active Directory Domain Service as well as access to a valid Azure subscription that has an Azure AD directory installed.

To install Azure AD Sync, you need a computer running the Windows Server operating system.
The following versions are supported:

Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2

Your computer can be stand-alone, a member server or a domain controller.
The following components need to be installed:

.Net 4.5.1
PowerShell (PS3 or better is required)

You need an account with local administrator privileges on your computer to install Azure AD Sync.

Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine.
SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects.

If you need to manager a higher volume of directory objects, you need to point the installation process to a different version of SQL Server.
AAD Sync supports all flavors of Microsoft SQL Server from SQL Server 2008 to SQL Server 2014.

Before You Begin

You must have the following steps completed before you can install Azure AD Sync:

The following sections provide the related steps.

Create an AD account to connect to AD DS

When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your AD DS.
You can use a regular user account because the account only needs the default read permissions.

The following sections provide more details about the permissions required by the AD DS account and the attributes it needs access to.

Permissions for password synchronization

If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:

Replicating Directory Changes
Replicating Directory Changes All

Both permissions are required to enable the account to read password hashes from your on-premises AD DS.

Office 365 Exchange Hybrid AAD Sync write-back attributes and permissions.

If you want to enable rich co-existence between your on-premises Exchange infrastructure and Office 365 (Exchange Hybrid), you can do this by selecting the Exchange hybrid deployment optional feature. When selecting this feature, you enable AAD Sync to write-back attributes to your on-premises environment.

Optional features The following table lists the attributes per object type that require write-back:

Object Type	Data source Attribute
Contact	proxyAddresses
Group	proxyAddresses
User/InetOrgPerson	msExchArchiveStatus
	msExchBlockedSendersHash
	msExchSafeRecipientsHash
	msExchSafeSendersHash
	msExchUCVoiceMailSettings
	msExchUserHoldPolicies
	proxyAddresses

The account you configure in the Connect to Active Directory Domain Services dialog page needs to have specific permissions to the attributes above.

The following table lists the minimum set of permissions that are required for this account using DSACLS nomenclature.

Object Type	Data source Attribute	Permission / Access Right	Inheritance
Contact	proxyAddresses	Write	The child objects only
Group	proxyAddresses	Write	The child objects only
User/InetOrgPerson	msExchArchiveStatus	Write	The child objects only
	msExchBlockedSendersHash	Write	The child objects only
	msExchSafeRecipientsHash	Write	The child objects only
	msExchSafeSendersHash	Write	The child objects only
	msExchUCVoiceMailSettings	Write	The child objects only
	msExchUserHoldPolicies	Write	The child objects only
	proxyAddresses	Write	The child objects only

Password write-back and change password permissions.

The password write-back feature provides your users with a convenient method to reset their on-premises passwords in the cloud. During the configuration of Azure AD Sync, you can activate password write-back as optional feature.

Optional features For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects.

Use the following procedure to setup permissions on each of the accounts you have configured.

How configure “Reset Password” and “Change Password” extended rights

Open Active Directory Users and Computers
At the top, under View make sure that Advanced Features are turned on.
On the left, right-click the root domain and select Properties.
Select the Security tab and click Advanced.
On the Permissions tab, click Add.
Click Select a Principal and select the account that was specified during setup.
In the drop-down, select Descendant User objects.
In the Permissions section select Reset Password and Change Password.
Click Ok. Click Apply. Click Ok.

Create an account to connect to Azure AD

When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your Azure AD.

You should apply the following best practices to this account:

You should create a separate account that is only used by Azure AD Sync.
You should configure the account with a strong password that is 16 characters long.
You should set the “Password never expires” flag on the account.
To accomplish this task, you can use the following PowerShell script code:
Copy
set-msoluser -UserPrincipalName syncaccount@contoso.com -PasswordNeverExpires $True
Your account must have Global Administrator as Organizational Role selected.

Installing and configuring Azure AD Sync

You can download the most recent version of Azure AD Sync using the following link: http://go.microsoft.com/fwlink/?LinkId=511690

To start the installation process, launch the executable called MicrosoftAzureADConnectionTool.exe.
This self-extracting executable puts all required files on the local drive and starts the installation process.
If you cancel the installation procedure, a shortcut is being created in the start menu and on the desktop.

If you need to use SQL Server or a domain account for the service account you need to cancel the wizard now. Up to this point, the installation process has already created a local folder that includes Azure AD Sync related files. You need the content of this folder to rerun the installation process with parameters.

To rerun the installation process, perform the following steps:

Open a command prompt, and then go to C:Program FilesMicrosoft Azure AD Connection Tool.

Start the wizard again with the following parameters:

Copy

DirectorySyncTool.exe /sqlserver localhost
                      /sqlserverinstance InstanceName
                      /serviceAccountDomain Azure AD Sync
                      /serviceAccountName Azure AD SyncSvc
                      /serviceAccountPassword VerySecretP@ssw0rd

Note
If you want to use the default SQL partition, then don’t specify this parameter.

At this point, you are ready to complete the dialog pages that are associated with the installation process.

To install the Azure AD Sync tool, you need to complete the following dialog pages:

Install

As a first step of the installation process, you need to agree to the license terms and conditions and you need to specify the location of the Azure AD Sync.

Connect to Azure Active Directory

To connect to your Azure AD directory, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.

For more details, see Create an account to connect to Azure AD.

Connect to Active Directory Domain Services

To connect to your Active Directory Domain Service, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.For more details, see Create an AD account to connect to AD DS.

Configure User Matching

On this page, you need to configure the following:

Matching across forests

The Matching across forests feature allows you to define how users from your ADDS forests are represented in Azure AD.
A user might either be represented only once across all forests or have a combination of enabled and disabled accounts.

Setting	Description
My users are only represented once across all forests	All users are created as individual objects in Azure AD. The objects are not joined in the metaverse.
Mail attribute	This option joins users and contacts if the mail attribute has the same value in different forests. It is recommended to use this option when your contacts have been created using GALSync.
ObjectSID and msExchangeMasterAccountSID	This option joins an enabled user in an account forest with a disabled user in an Exchange resource forest. This is also known as linked mailbox in Exchange.
sAMAccountName and MailNickName	This option joins on attributes where it is expected the login ID for the user can be found.
My own attribute	This option allows you to select your own attribute. Limitation in CTP: Make sure to pick an attribute which will already exist in the metaverse. If you pick a custom attribute the wizard will not be able to complete.

Matching with Azure AD

You can use this option to specify the attribute you want to use for identity federation. The sourceAnchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then objectGUID is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected.

The userPrincipalName attribute is the user’s login ID in Azure AD. By default the userPrincipalName attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected in the installation guide.

Optional features

If you have an Exchange hybrid deployment, then select this checkbox. This will write-back some attributes from Exchange online to the on-premises Active Directory.Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, please see http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx.

If you want to review or limit the attributes which are synchronized with Azure AD, then select Azure AD app and attribute filtering. You will then get two additional pages in the wizard.

For more information about password synchronization, see Implement password synchronization with Azure Active Directory Sync

Azure AD Apps

If you want to limit which attributes to synchronize to Azure AD, then start by selecting which services you are using, If you configure this page, any new service has to be selected explicitly by re-running the installation guide.

Azure AD attributes

Based on the services selected in the previous step, this page will show all attributes which will be synchronized. This list is a combination of all object types being synchronized. If there are some particular attributes you need to not synchronize, you can unselect those. In the picture above the extensionAttributes and homePhone has been unselected and will not synchronize to Azure AD.

Ready to configure

This page provides you with summary of your configuration. You should carefully review this summary before you proceed with the next page.If this step fails with an “Unable to communicate with the Windows Azure Active Directory service” error and you have a proxy server configured, you should add proxy settings to the “machine.config” file of your Azure AD Sync computer.
For more details, see <proxy> Element (Network Settings).

Finished

A default configuration has now been created and if you are ready to start synchronizing, then click Finish.
If you need to make some additional configuration before you start synchronization, then unselect the Synchronize now checkbox before you click Finish. This will create a disabled task in task scheduler. When you are done with your configuration, start the periodic synchronization by enabling this task.

After completing uncheck the synchronize now option.

Run a full Sync using C:Program FilesMicrosoft Azure AD SyncBin>DirectorySyncClientCmd.exe initial

Sync Successful

Azure AD Full Synchronization

We’ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to synchronize on prem identities with office 365.

To run a full synchronization browse to “C:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd.exe initial

It’s recommended that you perform a full synchronization after making a major change in your Azure AD Sync configuration like enabling password synchronization for user.

Azure AD Delta Synchronization

To perform the delta synchronization with Office 365, we need the same executable to perform delta synchronization of users from on prem to office 365. By default Azure AD Sync tool performs delta sync after every 3 hours. Later in this article we’ll learn on how we can change the default sync time of the tool.

C:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd.exe delta

Important Monitoring Event viewer ID from Azure ADSync server

Here Event ID 31005 onboarding completed means success

Another event ID -656 which is for the user password change request

Another event ID – 31007, this is for the Change password Success

Another event ID- 31002, this is for the password reset success.

After the Success configuration we need to configure in Azure AD Portal

Login to Azure AD Portal you should have Enterprise mobility suite for enabling the Password reset option.

Azure Active Directory editions

Microsft tech net Blog

Azure Active Directory is a service that provides comprehensive identity and access management capabilities in the cloud. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. For more information, see this video.

Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Azure Active Directory Premium and Basic editions provide a set of more advanced features to empower enterprises with more demanding identity and access management needs. For the pricing options for these editions, see Azure Active Directory Pricing. When you subscribe to Azure, you get your choice of the following free and paid editions of Azure Active Directory:

Free – With the Free edition of Azure Active Directory, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.
Basic – Azure Active Directory Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. With the Basic edition of Azure Active Directory, you get all the capabilities that Azure Active Directory Free has to offer, plus group-based access management, self-service password reset for cloud applications, Azure Active Directory application proxy (to publish on-premises web applications using Azure Active Directory), customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.An administrator with Azure Active Directory Basic edition can also activate an Azure Active Directory Premium trial.
Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that he Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

Azure Active Directory Premium and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory Forum for more

Azure Active Directory editions

Published: November 21, 2013

Updated: May 5, 2015

Applies To: Azure, Azure Active Directory, Office 365

Free – With the Free edition of Azure Active Directory, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.
Basic – Azure Active Directory Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. With the Basic edition of Azure Active Directory, you get all the capabilities that Azure Active Directory Free has to offer, plus group-based access management, self-service password reset for cloud applications, Azure Active Directory application proxy (to publish on-premises web applications using Azure Active Directory), customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.An administrator with Azure Active Directory Basic edition can also activate an Azure Active Directory Premium trial.
Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that he Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

To sign up and start using Active Directory Premium today, see Getting started with Azure Active Directory Premium.

Note
Azure Active Directory Premium and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory Forum for more information.

Features in Azure Active Directory Basic

Active Directory Basic edition is a paid offering of Azure Active Directory and includes all of the features of the Free edition plus the following features:

Company branding – To make the end user experience even better, you can add your company logo and color schemes to your organization’s Sign In and Access Panel pages. Once you’ve added your logo, you also have the option to add localized versions of the logo for different languages and locales.For more information, see Add company branding to your Sign In and Access Panel pages.
Group-based application access – Use groups to provision users and assign user access in bulk to thousands of SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory.For more information, see Assign access for a group to a SaaS application in Azure AD.
Self-service password reset – Azure has always allowed directory administrators to reset passwords. With Azure Active Directory Basic, you can now reduce helpdesk calls when your users forget a password by giving all users in your directory the capability to reset their password, using the same sign in experience they have for Office 365.For more information, see Password Management in Azure AD.
Enterprise SLA of 99.9% – We guarantee at least 99.9% availability of the Azure Active Directory Basic service.
Azure Active Directory Application Proxy – Give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud using Azure Active Directory.

Features in Azure Active Directory Premium

Active Directory Premium edition is a paid offering of Azure Active Directory and includes all of the features of the Free and Basic editions plus the following features:

Self-service group management – Azure Active Directory Premium simplifies day-to-day administration of groups by enabling users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group’s memberships.For more information, see Self-service group management for users in Azure AD.
Advanced security reports and alerts – Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats.For more information, see View your access and usage reports.
Multi-Factor Authentication – Multi-Factor Authentication is now included with Premium and can help you to secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and thousands of Non-MS Cloud services preintegrated with Azure Active Directory. Simply enable Multi-Factor Authentication for Azure Active Directory identities, and users will be prompted to set up additional verification the next time they sign in.For more information, see Adding Multi-Factor Authentication to Azure Active Directory.
Microsoft Identity Manager (MIM) – Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure Active Directory premium user license.For more information, see Deploy MIM 2010 R2.
Enterprise SLA of 99.9% – We guarantee at least 99.9% availability of the Azure Active Directory Premium service.For more information, see Active Directory Premium SLA.
Password reset with write-back – self-service password reset can be written back to on-premises directories.

Comparing Free, Basic, and Premium editions

Azure Active Directory Basic and Azure Active Directory Premium have more advanced capabilities to help streamline enterprise-level administrative tasks and make an administrator’s life easier. The following table describes common admin benefits and how signing up for Azure Active Directory Basic or Azure Active Directory Premium help simplify them.

	Features	Free edition	Basic edition	Premium edition
Common features	Directory as a service	Up to 500K objects1	No object limit	No object limit
	User and group management using UI or Windows PowerShell cmdlets
	Device registration
	Access Panel portal for SSO-based user access to SaaS and custom applications	Up to 10 apps per user2	Up to 10 apps per user2	No app limit
	User-based application access management and provisioning
	Self-service password change for cloud users
	Directory synchronization tool – For syncing between on-premises Active Directory and Azure Active Directory
Standard security reports
Premium and Basic features	High availability SLA uptime (99.9%)
	Group-based application access management and provisioning
	Customization of company logo and colors to the Sign In and Access Panel pages
	Self-service password reset for cloud users
	Application Proxy: Secure Remote Access and SSO to on-premises web applications
Premium-only feature	Self-service group management for cloud users
	Self-service password reset with on-premises write-back
	Microsoft Identity Manager (MIM) server licenses – For syncing between on-premises databases and/or directories and Azure Active Directory
	Advanced anomaly security reports (machine learning-based)
	Cloud app discovery
	Advanced application usage reporting
	Multi-Factor Authentication service for cloud users
Multi-Factor Authentication server for on-premises users

1 The 500k object limit does not apply for Office 365, Windows Intune or any other Microsoft online service that relies on Azure Active Directory for directory services.

2 With Azure Active Directory Free and Azure Active Directory Basic, end users who have been assigned access to each SaaS app, can see up to 10 apps in their Access Panel and get SSO access to them (assuming they have first been configured with SSO by the admin). Admins can configure SSO and assign user access to as many SaaS apps as they want with Free, however end users will only see 10 apps in their Access Panel at a time.

Features currently in public preview

The following features are currently in public preview and will be added soon:

Administrative units: a new Azure Active Directory container of resources that can be used for delegating administrative permissions over subsets of users and applying policies to a subset of users.
Add your own SaaS applications to Azure Active Directory.
Azure Active Directory Connect Health: monitor the health of your on premises Active Directory infrastructure and get usage analytics.
Password rollover for Facebook, Twitter, and LinkedIn. For more information, read this article.
Dynamic group membership. For more information, see this article.
Conditional Access: Multifactor Authentication per application.
HR application integration: Workday
Privileged Identity Management: Privileged identity management provides improved oversight to help meet service level agreements and regulatory compliance requirements.
Self-service application requests: Administrators can provide a list of SaaS apps to users from which so that users can choose the ones they want to use, and the apps either will be available immediately or after approval.
Azure reporting API: data for every security report of Azure Active Directory will be available to other monitoring or SIEM tools.

Step 1: Configure the password reset policy in Azure Active directory

Microsoft TechNet Blog

To configure user password reset policy, complete the following steps:

Open a browser of your choice and go to the Azure Management Portal.
In the Azure Management Portal, find the Active Directory extension on the navigation bar on the left hand side.
Under the Directory tab, click the directory in which you want to configure the user password reset policy, for example, Wingtip Toys.
Click the Configure tab.
Under the Configure tab, scroll down to the user password reset policy section. This is where you configure every aspect of user password reset policy for a given directory. This policy applies only to end users in your organization, not administrators. For security reasons, Microsoft controls the password reset policy for administrators. If you do not see this section, make sure that you have signed up for the Azure Active Directory Premium and Basic and assigned a license to the administrator account that is configuring this feature.
To configure the user password reset policy, slide the users enabled for password reset toggle to the yes setting. This reveals several more controls which enable you to configure how this feature works in your directory. Feel free to customize password reset as you see fit. If you’d like to learn more about what each of the password reset policy controls does, please see Self-service password reset in Azure AD: how to customize password reset to meet your needs.
After configuring user password reset policy as desired for your tenant, click the Save button at the bottom of the screen.

Note

A two challenge user password reset policy is recommended so that you can see how the functionality works in the most complex case.

Note
A two challenge user password reset policy is recommended so that you can see how the functionality works in the most complex case.

Step 2: Add the contact data for your test user

You have several options on how to specify data for users in your organization to be used for password reset.

Edit users in the Azure Management Portal or the Office 365 Management Portal
Use AADSync to synchronize user properties into Azure AD from an on-premises Active Directory domain
Use Windows PowerShell to edit user properties
Allow users to register their own data by guiding them to the registration portal at http://aka.ms/ssprsetup
Require users to register for password reset when they sign in to the Access Panel at http://myapps.microsoft.com by setting the Require users to register SSPR configuration option to Yes.

The following table outlines where and how this data is used during password reset and is designed to help you decide which of the above methods you want to use. This table also shows any formatting requirements for cases where you are providing data on behalf of users from input paths that do not validate this data.

To add user contact data via the User Registration Portal

In order to use the password reset registration portal, you must provide the users in your organization with a link to this page (http://aka.ms/ssprsetup) or turn on the option to require users to register automatically. Once they click this link, they are asked to sign in with their organizational account. After doing so, they see the following page:
Here, users can provide and verify their mobile phone or alternate email address. This is what verifying a mobile phone looks like.
After a user specifies this information, the page will update to indicate that the information is valid (it has been obfuscated below). By clicking the finish or cancel buttons, the user will be brought to the Access Panel.
Once a user verifies both of these pieces of information, his or her profile will be updated with the data he or she provided. In this example, the Office Phone number has been specified manually, so the user can also use that as a contact method for resetting his or her password.

Step 3: Reset your password as a user

Now that you’ve configured a user reset policy and specified contact details for your user, this user can perform a self-service password reset.

To perform a self-service password reset

If you go to a site like portal.microsoftonline.com, you’ll see a login screen like the below. Click the “can’t access your account” link to test the password reset UI.
After clicking “can’t access your account”, you are brought to a new page which will ask for a user ID for which you wish to reset a password. Enter your test user ID here, pass the captcha, and click “next”.
Since the user has specified an office phone, mobile phone, and alternate email in this case, you see that he has been given all of those as options to pass the first challenge.
In this case, choose to call the office phone first. Note that when selecting a phone-based method, users will be asked to verify their phone number before they can reset their passwords. This is to prevent malicious individuals from spamming phone numbers of users in your organization.
Once the user confirms their phone number, clicking call wall cause a spinner to appear and his or her phone to ring. A message will play once he or she picks up your phone indicating that the user should press “#” to verify his or her account. Pressing this key will automatically verify that the user possesses the first challenge and advance the UI to the second verification step.
Once you’ve passed the first challenge, the UI is automatically updated to remove it from the list of choices the user has. In this case, because you used your Office Phone first, only Mobile Phone and Alternate Email remain as valid options to use as the challenge for the second verification step. Click on the Email my alternate email option. After you have done that, pressing email will email the alternate email on file.
Here is a sample of an email that users will see – notice the tenant branding:
Once the email arrives, the page will update, and you’ll be able to enter the verification found in the email in the input box shown below. After a proper code is entered, the next button lights up, and you are able to pass through the second verification step.
Once you’ve met the requirements of the organizational policy, you are allowed to choose a new password. The password is validated based it meets AAD “strong” password requirements (Password policy in Azure AD), and a strength validator appears to indicate to the user whether the password entered meets that policy.
Once you provide matching passwords that meet the organizational policy, your password is reset and you can log in with your new password immediately.