Forum Discussion

Marvin Oco's avatar
Marvin Oco
Iron Contributor
Feb 01, 2019

Password Expiration with AAD connect Password hash sync

When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises pass...
office 365
lucafabbri365's avatar
lucafabbri365
Brass Contributor
Jun 17, 2020

ThomasK007,

I try to give you a detailed answer.

Until you have the EnforceCloudPasswordPolicyForPasswordSyncedUsers disabled (which is the default), an Azure AD user coming from on-premise AD (synced by AAD Connect) has its account password set to Never Expire.

 

"Password expiration policy

If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment."

 

Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature | Microsoft Docs

 

Once you enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and set the PasswordPolicies attribute to None (instead of DisablePasswordExpiration), the expiration time for an Azure AD user should be calculated referring to read-only attribute LastPasswordChangeTimestamp (you can retrieve it by using the Get-MsolUser cmdlet), depending on expiration policy.

 

Now if you have AAD Connect with password hash sync, same password expiration policy set on both Azure AD and on-premise AD (e.g. 90 days), every time a password is changed on-premise AD, pwdlastset attribute is updated, the password itself synced with Azure AD and the LastPasswordChangeTimestamp updates accordingly - so they both expires at same time (maybe few  minutes off); if you also have the password writeback functionality in place (link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback | Microsoft Docs) the behavior described above works when the password is change from Azure AD and synced back to on-premise AD.

 

It should be right (please, can someone else confirm that ?)

I hope I was clear.

 

Bye,

Luca

Sujesh1415's avatar
Sujesh1415
Copper Contributor
Apr 06, 2023

lucafabbri365 

 

Thanks for detailing this step by step and it is helpful!

 

A question on this to get further more clarity - After implementing all this policy changes what happens the next time when a user resets his password and it is synced to AzureAD via AD sync tool ?

 

Is it expected that the "PasswordPolicies" attribute again going back to "DisablePasswordExpiration" so that against each password sync the "PasswordPolicies" attribute to be set as "None" using a daily script or something ?

Resources