Microsoft has released the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature in February this year which was then in public preview. When organizations don’t use this feature and sync their identities with password hash sync enabled, users with an expired password can continue working with their Azure AD account. I would say that’s something to worry about; However, not many organizations are using the feature or are familiar with working. With this feature, we comply our AD and Azure AD password policy. In this blog post, I will describe the functionality of this feature and help you with configuring the feature for your tenant.
How does EnforceCloudPasswordPolicyForPasswordSyncedUsers policy works?
If you have an expiration policy configured in your on-premise environment, this is not synced to Azure AD. This results in the scenario where a user can continue working and accessing company resources when authenticating against Azure AD, although the password has expired in the on-premise AD. If you want to have the moment of expiration of both passwords in sync, you should consider implementing this feature.
Why should I use the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature?
Many organizations who are using password hash synchronization and syncing their identities from AD to Azure AD are not aware of the consequences of an expired password. The expiration policy within Azure AD should comply with your on-premise AD. Therefore, you need to configure the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature before it would mark a password as expired.
How to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers feature?
Below you will find step-by-step guidance on how to enable and configure this feature.
- Run the below Powershell command to check if the feature is enabled:
Get-MsolDirSyncFeatures
- To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers, run the below command in your tenant:
Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers $trueBy default, the value DisablePasswordExpiration is set for every synced user, which means that the password expiration does not comply with the on-premise AD policy. This results in the scenario that a user won’t be prompted to change the password when trying to access company resources.
- Run the below command to check which user has a password expiration set:
Get-AzureADUser | Select-Object UserPrincipalName,passwordpolicies
When you want to comply with the on-premise password expiration policy, the PasswordPolicies value should be set to None. You should change the on-premise password for a user and start initial sync to get this done. After the sync, the value should change to “None.”
- Run the below command to change the value manually to “None” for a specific user:
Set-AzureADUser -ObjectID YourUserName -PasswordPolicies None5. Additionally, run the below command to update the value for all the users. Read the important notice below before running the command.
Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object {
Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None
}Important note:
If you have specific synchronized AD accounts, e.g., Service Accounts, that need non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute.
References:
