Forum Discussion
ElieAT
Jul 29, 2022Iron Contributor
Enable Password Never Expires
Hello, Kindly i need to know if we enable password never expires from office365 portal, how it will affect on premises users if we are in hybrid environement? Regards,
- Jul 29, 2022with PTA always your user rely on your on-prem AD authentication. Even if you set your password never expired on Azure AD and the password is expired on-prem the user will be blocked. the best practice for your case is to switch to password hash sync. if you need to keep the PTA scenario than an alternative solution is to enable the password write back feature so the user will have the ability to change or reset his password and the password will be synced back the AD on-prem.
Refer to the below link to see how you can enable the password write back feature
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
eliekarkafy
Jul 29, 2022MVP
The PTA and Hash are totally different. PTA authentication if the user password expired on-prem the cloud user will not able to sign as always the validation happen through the PTA agent. for the password hash sync , please see scenarios below :
when the hash of the users is synced to azure , the user in the cloud is set to password never expired
Please see scenarios below:
ITEM | USER ACTION | Effect in Password in Office 365 |
120-day password expiry in Local AD was enforced | User changed password |
|
120-day password expiry in Local AD was enforced | User did not change password |
|
- ElieATJul 29, 2022Iron ContributorThanks for the reply so if we have pass through authentication what should i do to enable password never expires for users as a best practices?.
- eliekarkafyJul 29, 2022MVPwith PTA always your user rely on your on-prem AD authentication. Even if you set your password never expired on Azure AD and the password is expired on-prem the user will be blocked. the best practice for your case is to switch to password hash sync. if you need to keep the PTA scenario than an alternative solution is to enable the password write back feature so the user will have the ability to change or reset his password and the password will be synced back the AD on-prem.
Refer to the below link to see how you can enable the password write back feature
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback- ElieATJul 29, 2022Iron ContributorAppreciate your help