Forum Discussion

ElieAT's avatar
ElieAT
Iron Contributor
Jul 29, 2022

Enable Password Never Expires

Hello,

 

Kindly i need to know if we enable password never expires from office365 portal, how it will affect on premises users if we are in hybrid environement?

 

Regards,

 

 

  • with PTA always your user rely on your on-prem AD authentication. Even if you set your password never expired on Azure AD and the password is expired on-prem the user will be blocked. the best practice for your case is to switch to password hash sync. if you need to keep the PTA scenario than an alternative solution is to enable the password write back feature so the user will have the ability to change or reset his password and the password will be synced back the AD on-prem.

    Refer to the below link to see how you can enable the password write back feature

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
  • The PTA and Hash are totally different. PTA authentication if the user password expired on-prem the cloud user will not able to sign as always the validation happen through the PTA agent. for the password hash sync , please see scenarios below :

     

    when the hash of the users is synced to azure , the user in the cloud is set to password never expired 

    Please see scenarios below:

     

    ITEM

    USER ACTION

    Effect in Password in Office 365

    120-day password expiry in Local AD was enforced

    User changed password

    • The new password hash will be synched to Office 365
    • User can login to Office 365

    120-day password expiry in Local AD was enforced

    User did not change password

    • The Old Password hash is still synced and cached to Azure AD
    • User can login to Office 365
    • No prompt in Office 365 that the Local AD password needs to be changed

     

    • ElieAT's avatar
      ElieAT
      Iron Contributor
      Thanks for the reply so if we have pass through authentication what should i do to enable password never expires for users as a best practices?.
      • with PTA always your user rely on your on-prem AD authentication. Even if you set your password never expired on Azure AD and the password is expired on-prem the user will be blocked. the best practice for your case is to switch to password hash sync. if you need to keep the PTA scenario than an alternative solution is to enable the password write back feature so the user will have the ability to change or reset his password and the password will be synced back the AD on-prem.

        Refer to the below link to see how you can enable the password write back feature

        https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
    • ElieAT's avatar
      ElieAT
      Iron Contributor
      Pass Through Authentication but if its a hash what will be the difference?

Resources