Forum Discussion

Marvin Oco's avatar
Marvin Oco
Iron Contributor
Feb 01, 2019

Password Expiration with AAD connect Password hash sync

When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises pass...
office 365
Sujesh1415's avatar
Sujesh1415
Copper Contributor
Apr 06, 2023

lucafabbri365 

 

Thanks for detailing this step by step and it is helpful!

 

A question on this to get further more clarity - After implementing all this policy changes what happens the next time when a user resets his password and it is synced to AzureAD via AD sync tool ?

 

Is it expected that the "PasswordPolicies" attribute again going back to "DisablePasswordExpiration" so that against each password sync the "PasswordPolicies" attribute to be set as "None" using a daily script or something ?

lucafabbri365's avatar
lucafabbri365
Brass Contributor
Apr 07, 2023

Hello Sujesh1415,

assuming you enabled the EnforceCloudPasswordPolicyForPasswordSyncedUsersfeature, as per Microsoft article http://Implement%20password hash synchronization with Azure AD Connect sync:

 

"...Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed (None) from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD".

 

Microsoft recommends enabling EnforceCloudPasswordPolicyForPasswordSyncedUsers prior to enabling password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration value to the PasswordPolicies attribute for the users.

 

But if you enabled the feature AFTER setting up password hash sync, then you have to choices for setting PasswordPolicies to None:

 

  1. Wait for the user’s next password change to occur on the on-premises AD
  2. Run a PowerShell script (once) to update it:

Single user:

 

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None​

 

 All users:

 

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None​

 

 

Does it answer to your question ?

  • JonMar52's avatar
    JonMar52
    Copper Contributor
    Sep 17, 2024

    lucafabbri365 

    I'm investigating enabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature for our org. I plan to address Service accounts that currently do not have their passwords expire by putting them into a No Password Expiration group and manually changing the PasswordPolicy attribute to DisablePasswordExpiration. My question is, based on the current information, that the field will already show "DisablePasswordExpiration" since we enabled sync before enabling CloudPasswordPolicyForPasswordSyncedUsersEnabled. This field will change to "None" on the next sync, but if those accounts do not have expiring passwords, will they ever sync again if the password is never changed? If I set the field manually, will that cancel out the CloudPasswordPolicyForPasswordSyncedUsersEnabled, or does that change the field to none every time that password is changed? My final question is if we have password write-back enabled, will changing the password via self-service count as a change on-prem and sync users with the PasswordPolicy field set to none? 

  • mpsquared's avatar
    mpsquared
    Copper Contributor
    Jun 20, 2023

    Hi lucafabbri365,

     

    Thanks for the information. For further clarity, we've already had Hash sync enabled. So If I enable the feature org-wide and set it to none. Will it cause any issues for those getting ready to change there password. For instance, not every user will change there password exactly at 90 days ex. New employees etc. 

Resources