Forum Discussion
Enabling Managed Authentication - Password Hash Sync
- First of all, sorry for the late response. I have been ill for a week.
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
Enabling PHS is a painful experience, unless you're running a well maintained vanilla AD. There are 2 big issues for us:
1. Synced accounts with AD "password never expires" need to be manually updated (see link below - unfortunately the PowerShell cmdlet doesn't work for us, see attachment).
2. If an account on-premise with password never expires set changes their password, we then need to manually update that account in Azure AD (see note "For hybrid users that have a PasswordPolicies value set to DisablePassordExpiration, this value switches to None after a password change is executed on-premises").
We have over 800 enabled synced accounts with password never expires :-(. Architecturally, this seems like a poor solution, why couldn't Microsoft just sync the password never expires flag as an attribute?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
1. I suggest you export all the passwordpolicies per user (the commend per user is available in the Microsoft docs link). You should be able to script this for all users with PowerShell. As soon as you have a CSV export, I would filter out the accounts that don't need a password expiration policy set (Service accounts, for example). When you have a new CSV file with all these filtered out. You should set the PasswordExpiration policy to None for the imported CSV file. Again, this should be scriptable via PowerShell.
2. Indeed, when you create a new user, you should initiate a password change on-premise and run an initial sync before the attribute changes. I would, in that case, always check the box that says, "User must change password at next logon."
Regarding your command that can't be set, I would suggest you contact Microsoft support. When running the command it shows you are warning "Unable to update the specified properties for on-premises mastered directory sync object or object currently undergoing migration." I have just run the command, and it was successfully configured. Good luck!
Regarding your suggestion, I would also love to see this attribute synced to Azure AD. Hopefully, in the future.
- Hi BilalelHadd,
Thanks for the reply.. I heard back from Microsoft - the PowerShell script isn't working as we need to unfederate the domain first.
We're looking to implement a script which monitors for password changes on a daily basis and then update the Azure AD user object with the appropriate password policy.
Thanks