Forum Discussion

Marvin Oco's avatar
Marvin Oco
Iron Contributor
Feb 01, 2019

Password Expiration with AAD connect Password hash sync

When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises pass...
office 365
lucafabbri365's avatar
lucafabbri365
Brass Contributor
Aug 27, 2019

Hello Marvin Oco,

I noticed MS is working to find the better solution about this (link: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18367720-allow-password-expiration-policy-to-sync-from-on-p).

 

At meanwhile, even if PasswordNeverExpires=True when password sync is enabled (AADConnect), however, Azure let change the attribute to False via PowerShell, can it be considered a workaround? Will it inherit the password expiration policy set in Azure AD, then ?

 

What about ?

 

Thank you,

Luca

  • TimLB's avatar
    TimLB
    Iron Contributor
    May 29, 2020

    I was investigating into this situation a bit and upon finding this thread - I thought it might be good to update it. Microsoft has added a feature in public preview where you can turn on password expiration when using the password hash synchronization scenario. Bad news however. documentation recommends that this be turned on before password sync is turned on.

     

    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature

     

    Also, I've seen comments in the user voice post Luca referenced saying that people have contacted MS support and have received other ways to work around this.

    • lucafabbri365's avatar
      lucafabbri365
      Brass Contributor
      May 29, 2020

      Hello TimLB,

      well, we implemented the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature time ago, and set the same password expiration policy like on-premise AD (90 days*) but unfortunately, it was enabled with password hash sync already in place; so every time a new user is synced to Azure AD (initial sync of password) the PasswordPolicies attribute is set to DisablePasswordExpiration value by default. The (manual) solution is to change it via PowerShell:

       

      Single user:

       

      Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

       

      In bulk:

       

      Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

       

      I hope Microsoft can find a more flexible way to manage it.

       

      * - There is a limit when there are multiple on-premise AD domains with different password expiration policy, all syncing with same Azure AD tenant through AAD Connect and sharing the same registered domain.

      • ANAND_SUNKA's avatar
        ANAND_SUNKA
        Brass Contributor
        Feb 02, 2021

        Hilucafabbri365,

         

        We have similar issue and it's a major security concern. Now my infosec team wants to get rid of expired passwords should get block.

         

        As i said am planning to run below command for entire Organization.

        Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

        Is it going to impact the users which are already logged into the mailboxes, cloud apps, on-prem custom apps when we run the above command.

         

        Any help really appreciated.

         

         

         

Resources