This blogpost has been updated on 24-09-2024
Why should you care?
In February 2020, Microsoft introduced the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, which was initially available in a public preview. As of 2024, this feature has been renamed to CloudPasswordPolicyForPasswordSyncedUsersEnabled.
When organizations do not utilize this feature and have password hash synchronization enabled, there’s a significant risk: users with expired passwords can still access their Entra ID accounts. This means they can continue working even if their password has expired—an alarming situation.
Despite the potential risks, many organizations remain unaware of this feature or have not yet implemented it. By activating the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature, you can ensure that your on-premises Active Directory (AD) password policies align with those in Entra ID, promoting a more secure and compliant environment.
In this blog post, I will explore the functionality of this important feature and provide step-by-step guidance on configuring it for your tenant. Don’t let your organization fall behind—let’s take the necessary steps to protect your data!
The issue
If you have an password expiration policy configured in your on-premises environment, it is not synced to Entra ID by default. This creates a scenario where a user can continue working and accessing company resources when authenticating against Entra ID, even though their password has expired in the on-premises AD. Consider implementing this feature if you want the password expiration to be synchronized.
Many organizations using password hash synchronization to sync identities from AD to Entra ID are unaware of the consequences of an expired password. The expiration policy in Entra ID should align with your on-premises AD. Therefore, you must configure the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature to ensure that Entra ID properly marks passwords as expired.
Configure expiration policy
Below, you will find step-by-step guidance on how to enable and configure this feature.
1. Run the PowerShell command below on the Entra ID Connect server to check if the feature is enabled:
Get-MsolDirSyncFeatures
1. Using the Microsoft Graph PowerShell? Run the following:
(Get-MgDirectoryOnPremiseSynchronization).Features
2. To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, run the command below in your tenant:
Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers $true
2. Using the MSGraph command? Run the following:
$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true
Update-MgDirectoryOnPremiseSynchronization `
-OnPremisesDirectorySynchronizationId $OnPremSync.Id `
-Features $OnPremSync.Features
By default, the value DisablePasswordExpiration is set for every synced user, meaning the password expiration does not comply with the on-premises AD policy. This results in a scenario where users won’t be prompted to change their password when accessing company resources.
3. Run the command below to check which users have a password expiration set:
Get-AzureADUser | Select-Object UserPrincipalName,passwordpolicies
3. Using the MSGraph command? Run the following:
(Get-MgUser -UserId -Property PasswordPolicies).PasswordPolicies
When you want to comply with the on-premises password expiration policy, the PasswordPolicies value should be set to None. You must change the user’s on-premises password and start an initial sync to apply this change. After the sync, the value should update to “None.”
4. Run the command below to manually change the value to “None” for a specific user:
Set-AzureADUser -ObjectID YourUserName -PasswordPolicies None
4. Using the MSGraph command? Run the following:
Update-MgUser -UserID -PasswordPolicies "DisablePasswordExpiration"
5. Additionally, run the command below to update all users’ values.
Please read the important notice below before executing the command.
Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object { Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None }
5. Using the MSGraph command? Run the following:
Get-MgUser -All -Filter "onPremisesSyncEnabled eq true and passwordPolicies eq 'DisablePasswordExpiration'" |
ForEach-Object {
Update-MgUser -UserId $_.Id -PasswordPolicies "None"
}
Important Note:
If you have specific synchronized AD accounts, such as service accounts (which I wouldn’t recommend to sync), that require non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute.
Thanks for the details. So once the AD and Entra expiration policies are in sync with each other (i.e Entra is using the AD based policy), what happens to users that are using Entra ID joined devices only to login? Do they get notified of expiring password? How do they change their password?
Sorry for the late response; I have been on holiday. Indeed, users would receive a notification that their password is about to expire. This could be a system notification in Windows, or you can tweak it so that users receive an email.
When the password expires, users must set a new password during login. This is done immediately upon attempting to log in with the expired password. If password writeback is enabled, the password should also be updated in AD.
When the password expires and users must set a new password during login.. Are the accounts being tagged with “Force Password on Next Login” or is it kicking off SSPR?
Thanks
Hi:
Thanks for sharing the info. I have users that require password never expires all my accounts are synced from on-prem AD is there any way to setup a “rule” that if ad account onprem is set to password never expire then set “DisablePasswordExpiration” policy when it syncs from onprem to EntraID?