Forum Discussion
Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?
To make a long story short, a colleague's password expired eight days ago in AD but he's still able to login to the O365 portal and check his email.
What I've discovered is that almost all my AAD accounts are set to not have password expiration. This is not true for the accounts' counterparts in AD.
I checked and made sure that my tenant was not set to do this automatically.
Is this the expected behavior?
No. Password synced users however are. From here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-implement-password-synchronization
Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to "Never Expire". You can continue to sign in to your cloud services using a synchronized password that has been expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.
No. Password synced users however are. From here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-implement-password-synchronization
Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to "Never Expire". You can continue to sign in to your cloud services using a synchronized password that has been expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.
- Chris ParkerIron Contributor
Thanks for the citation. But why would they do this? I don't see how this is not a huge security problem.
Not sure, guess to avoid situations in which the synced password will expire (as it's governed by the O365 policy).