Forum Discussion

Marvin Oco's avatar
Marvin Oco
Iron Contributor
Feb 01, 2019

Password Expiration with AAD connect Password hash sync

When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises pass...
office 365
lucafabbri365's avatar
lucafabbri365
Brass Contributor
Apr 07, 2023

Hello Sujesh1415,

assuming you enabled the EnforceCloudPasswordPolicyForPasswordSyncedUsersfeature, as per Microsoft article http://Implement%20password hash synchronization with Azure AD Connect sync:

 

"...Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed (None) from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD".

 

Microsoft recommends enabling EnforceCloudPasswordPolicyForPasswordSyncedUsers prior to enabling password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration value to the PasswordPolicies attribute for the users.

 

But if you enabled the feature AFTER setting up password hash sync, then you have to choices for setting PasswordPolicies to None:

 

  1. Wait for the user’s next password change to occur on the on-premises AD
  2. Run a PowerShell script (once) to update it:

Single user:

 

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None​

 

 All users:

 

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None​

 

 

Does it answer to your question ?

JonMar52's avatar
JonMar52
Copper Contributor
Sep 17, 2024

lucafabbri365 

I'm investigating enabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature for our org. I plan to address Service accounts that currently do not have their passwords expire by putting them into a No Password Expiration group and manually changing the PasswordPolicy attribute to DisablePasswordExpiration. My question is, based on the current information, that the field will already show "DisablePasswordExpiration" since we enabled sync before enabling CloudPasswordPolicyForPasswordSyncedUsersEnabled. This field will change to "None" on the next sync, but if those accounts do not have expiring passwords, will they ever sync again if the password is never changed? If I set the field manually, will that cancel out the CloudPasswordPolicyForPasswordSyncedUsersEnabled, or does that change the field to none every time that password is changed? My final question is if we have password write-back enabled, will changing the password via self-service count as a change on-prem and sync users with the PasswordPolicy field set to none? 

Resources