AD Connector created users have no role and can't set their own password
We've been using TeamViewer Corporate with AD Connector for several years now. Recently we found that newly created users are unable to set their own password. This is being caused because the new users are being created without a default role which has password changes enabled. I did not see any notice about this major change of apparent behaviour.
I tried setting the role we'd like assigned to new users to be predefined but it didn't have any effect. New users still get created with no role.
Am I missing something? Surely we don't have to manually set the role on each new user created now? Do I need to modify something in the AD Connector scripts to set the role during creation?
Also, is there a way to enforce two-factor for all/new users?