Written by 13:28 Microsoft Entra Views: 10,014

Comply your AD password expiration policy with Azure AD.


Microsoft has released the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature in February this year which was then in public preview. When organizations don’t use this feature and sync their identities with password hash sync enabled, users with an expired password can continue working with their Azure AD account. I would say that’s something to worry about; However, not many organizations are using the feature or are familiar with working. With this feature, we comply our AD and Azure AD password policy. In this blog post, I will describe the functionality of this feature and help you with configuring the feature for your tenant.

If you have an expiration policy configured in your on-premise environment, this is not synced to Azure AD. This results in the scenario where a user can continue working and accessing company resources when authenticating against Azure AD, although the password has expired in the on-premise AD. If you want to have the moment of expiration of both passwords in sync, you should consider implementing this feature.

Many organizations who are using password hash synchronization and syncing their identities from AD to Azure AD are not aware of the consequences of an expired password. The expiration policy within Azure AD should comply with your on-premise AD. Therefore, you need to configure the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature before it would mark a password as expired.

Below you will find step-by-step guidance on how to enable and configure this feature.

  1. Run the below Powershell command to check if the feature is enabled:
If the feature is disabled you should see the above "false"value
If the feature is disabled, you should see the “false” value displayed in this screenshot.
  1. To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers, run the below command in your tenant:
Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers $true

By default, the value DisablePasswordExpiration is set for every synced user, which means that the password expiration does not comply with the on-premise AD policy. This results in the scenario that a user won’t be prompted to change the password when trying to access company resources.

  1. Run the below command to check which user has a password expiration set:
Get-AzureADUser | Select-Object UserPrincipalName,passwordpolicies
The default value DisablePasswordExpiration is been set for users by default.
The default value “DisablePasswordExpiration” is set for users by default.

When you want to comply with the on-premise password expiration policy, the PasswordPolicies value should be set to None. You should change the on-premise password for a user and start initial sync to get this done. After the sync, the value should change to “None.”

The password policy is changed to “None” because of an on-premise password change.
  1. Run the below command to change the value manually to “None” for a specific user:
Set-AzureADUser -ObjectID YourUserName -PasswordPolicies None

5. Additionally, run the below command to update the value for all the users. Read the important notice below before running the command.

Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object {
Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None

Important note:
If you have specific synchronized AD accounts, e.g., Service Accounts, that need non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute.



Visited 10,014 times, 13 visit(s) today