Written by 13:28 Microsoft Entra • 4 Comments Views: 19,509

Comply your AD password expiration policy with Azure AD.

This blogpost has been updated on 24-09-2024

Why should you care?

In February 2020, Microsoft introduced the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, which was initially available in a public preview. As of 2024, this feature has been renamed to CloudPasswordPolicyForPasswordSyncedUsersEnabled.

When organizations do not utilize this feature and have password hash synchronization enabled, there’s a significant risk: users with expired passwords can still access their Entra ID accounts. This means they can continue working even if their password has expired—an alarming situation.

Despite the potential risks, many organizations remain unaware of this feature or have not yet implemented it. By activating the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature, you can ensure that your on-premises Active Directory (AD) password policies align with those in Entra ID, promoting a more secure and compliant environment.

In this blog post, I will explore the functionality of this important feature and provide step-by-step guidance on configuring it for your tenant. Don’t let your organization fall behind—let’s take the necessary steps to protect your data!

The issue

If you have an password expiration policy configured in your on-premises environment, it is not synced to Entra ID by default. This creates a scenario where a user can continue working and accessing company resources when authenticating against Entra ID, even though their password has expired in the on-premises AD. Consider implementing this feature if you want the password expiration to be synchronized.

Many organizations using password hash synchronization to sync identities from AD to Entra ID are unaware of the consequences of an expired password. The expiration policy in Entra ID should align with your on-premises AD. Therefore, you must configure the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature to ensure that Entra ID properly marks passwords as expired.

Configure expiration policy

Below, you will find step-by-step guidance on how to enable and configure this feature.

1. Run the PowerShell command below on the Entra ID Connect server to check if the feature is enabled:
				
					Get-MsolDirSyncFeatures
				
			

1. Using the Microsoft Graph PowerShell? Run the following:

				
					(Get-MgDirectoryOnPremiseSynchronization).Features
				
			
If the feature is disabled, you should see the "false" value displayed in this screenshot
2. To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, run the command below in your tenant:
				
					Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers $true
				
			
2. Using the MSGraph command? Run the following:
				
					$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true

Update-MgDirectoryOnPremiseSynchronization `
-OnPremisesDirectorySynchronizationId $OnPremSync.Id `
-Features $OnPremSync.Features
				
			

By default, the value DisablePasswordExpiration is set for every synced user, meaning the password expiration does not comply with the on-premises AD policy. This results in a scenario where users won’t be prompted to change their password when accessing company resources.

3. Run the command below to check which users have a password expiration set:
				
					Get-AzureADUser | Select-Object UserPrincipalName,passwordpolicies
				
			
3. Using the MSGraph command? Run the following:
				
					(Get-MgUser -UserId <User Object ID> -Property PasswordPolicies).PasswordPolicies
				
			
The default value “DisablePasswordExpiration” is assigned to users by default.

When you want to comply with the on-premises password expiration policy, the PasswordPolicies value should be set to None. You must change the user’s on-premises password and start an initial sync to apply this change. After the sync, the value should update to “None.”

4. Run the command below to manually change the value to “None” for a specific user:
				
					Set-AzureADUser -ObjectID YourUserName -PasswordPolicies None
				
			
4. Using the MSGraph command? Run the following:
				
					Update-MgUser -UserID <User Object ID> -PasswordPolicies "DisablePasswordExpiration" 
				
			
The password policy changes to “None” due to an on-premises password change.
5. Additionally, run the command below to update all users’ values.
Please read the important notice below before executing the command.
				
					Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object { Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None }
				
			
5. Using the MSGraph command? Run the following:
				
					Get-MgUser -All -Filter "onPremisesSyncEnabled eq true and passwordPolicies eq 'DisablePasswordExpiration'" | 
ForEach-Object { 
    Update-MgUser -UserId $_.Id -PasswordPolicies "None" 
}
				
			

Important Note:
If you have specific synchronized AD accounts, such as service accounts (which I wouldn’t recommend to sync), that require non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute.

Visited 19,509 times, 2 visit(s) today
Close