Microsoft has released the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature in February this year which was then in public preview. When organizations don’t use this feature and sync their identities with password hash sync enabled, users with an expired password can continue working with their Azure AD account. I would say that’s something to worry about; However, not many organizations are using the feature or are familiar with working. With this feature, we comply our AD and Azure AD password policy. In this blog post, I will describe the functionality of this feature and help you with configuring the feature for your tenant.
If you have an expiration policy configured in your on-premise environment, this is not synced to Azure AD. This results in the scenario where a user can continue working and accessing company resources when authenticating against Azure AD, although the password has expired in the on-premise AD. If you want to have the moment of expiration of both passwords in sync, you should consider implementing this feature.
Many organizations who are using password hash synchronization and syncing their identities from AD to Azure AD are not aware of the consequences of an expired password. The expiration policy within Azure AD should comply with your on-premise AD. Therefore, you need to configure the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature before it would mark a password as expired.
Below you will find step-by-step guidance on how to enable and configure this feature.
- Run the below Powershell command to check if the feature is enabled:
Get-MsolDirSyncFeatures
- To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers, run the below command in your tenant:
Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers $true
By default, the value DisablePasswordExpiration is set for every synced user, which means that the password expiration does not comply with the on-premise AD policy. This results in the scenario that a user won’t be prompted to change the password when trying to access company resources.
- Run the below command to check which user has a password expiration set:
Get-AzureADUser | Select-Object UserPrincipalName,passwordpolicies
When you want to comply with the on-premise password expiration policy, the PasswordPolicies value should be set to None. You should change the on-premise password for a user and start initial sync to get this done. After the sync, the value should change to “None.”
- Run the below command to change the value manually to “None” for a specific user:
Set-AzureADUser -ObjectID YourUserName -PasswordPolicies None
5. Additionally, run the below command to update the value for all the users. Read the important notice below before running the command.
Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object {
Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None
}
Important note:
If you have specific synchronized AD accounts, e.g., Service Accounts, that need non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute.
References:
Thanks for the details. So once the AD and Entra expiration policies are in sync with each other (i.e Entra is using the AD based policy), what happens to users that are using Entra ID joined devices only to login? Do they get notified of expiring password? How do they change their password?
Sorry for the late response; I have been on holiday. Indeed, users would receive a notification that their password is about to expire. This could be a system notification in Windows, or you can tweak it so that users receive an email.
When the password expires, users must set a new password during login. This is done immediately upon attempting to log in with the expired password. If password writeback is enabled, the password should also be updated in AD.
When the password expires and users must set a new password during login.. Are the accounts being tagged with “Force Password on Next Login” or is it kicking off SSPR?
Thanks