Password Expiration with AAD connect Password hash sync

Hello KoflT,

yours is a good question.

Well, Fine-grained Password Policy is supported by Azure Active Directory Domain Services (Azure AD DS) for sure. Azure AD DS integrates with existing Azure AD tenant, but is a different service.

Definition
"Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud."

References

• https://azure.microsoft.com/en-us/updates/aadds-fgpp/ (Microsoft Azure)
• https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview#:~:text=Azure%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20provides%20managed%20domain,(DCs)%20in%20the%20cloud. (Microsoft Docs)
• https://docs.microsoft.com/en-us/azure/active-directory-domain-services/password-policy (Microsoft Docs)

Instead, we are speaking about password expiration on Azure AD tenant.

This post https://social.msdn.microsoft.com/Forums/vstudio/en-US/5f10faf7-98ec-4681-96e9-4fc987a564e1/onpremise-password-policy-amp-azure-ad-password-policy?forum=WindowsAzureAD (Visual Studio forums) treats the same argument: basically, you can define a password policy per custom domain in Azure AD.

I think the logic is the same I described previously: it depends on the password policy set for the custom domain where Azure AD user belongs and the password policy set for the same user, on-premise: if they match the behavior is the same (password will expire at same time), otherwise they will have different expiration time.

Please, let me know if it's clear, or I can write down some practical examples.

Bye,

Luca