Forum Discussion
Password Expiration with AAD connect Password hash sync
I was investigating into this situation a bit and upon finding this thread - I thought it might be good to update it. Microsoft has added a feature in public preview where you can turn on password expiration when using the password hash synchronization scenario. Bad news however. documentation recommends that this be turned on before password sync is turned on.
Also, I've seen comments in the user voice post Luca referenced saying that people have contacted MS support and have received other ways to work around this.
Hello TimLB,
well, we implemented the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature time ago, and set the same password expiration policy like on-premise AD (90 days*) but unfortunately, it was enabled with password hash sync already in place; so every time a new user is synced to Azure AD (initial sync of password) the PasswordPolicies attribute is set to DisablePasswordExpiration value by default. The (manual) solution is to change it via PowerShell:
Single user:
Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
In bulk:
Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
I hope Microsoft can find a more flexible way to manage it.
* - There is a limit when there are multiple on-premise AD domains with different password expiration policy, all syncing with same Azure AD tenant through AAD Connect and sharing the same registered domain.