Forum Discussion

cbs-mg's avatar
cbs-mg
Copper Contributor
Jul 29, 2024

Microsoft Intune - Password Expiry/Reset

Folks - We've unique scenario where end users are skipping the password reset after the default expiry for example 90 days. How can we enforce users to change within 90 days or change on the expiry d...
Intune
cbs-mg's avatar
cbs-mg
Copper Contributor
Jul 30, 2024

charlton828 - Thanks for the Response.

 

We follow all the guidelines mentioned in those two articles. Let me explain the trouble with an example.

 

Users John, Grace and Mary are all having password complexity enabled and set to expire the password for 90 days using the password policy. Lets say, all three enrolled into Entra ID on 26th of April 2024. Now by default password expiry is for 90 days so by 25th July 2024, their passwords will expire and will ask to reset. 

 

Grace have reset her password without skipping however, John and Mary due to some reasons, they keep skipping the password reset popup and keep working on their regular tasks. 

 

Now in this case, as the password reset was not done, if we push any other policies on 26th July, both Mary and John machines wont be able to get the policies pushed as the password reset is pending; similarly all the new policies which are being pushed will be in QUEUE waiting for the password to reset and get a manual Sync from the device.

 

Now, we are looking for:

 

1. How to ensure that no user can skip the password reset beyond the expiry period i.e. 90 days? 

2. If there is way to identify such users?

3. What are the current best practices around in this topic?

 

Appreciated!

 

CharltonBuchanan's avatar
CharltonBuchanan
Copper Contributor
Aug 01, 2024

cbs-mgJust to verify, your accounts are all Entra ID accounts, not local? Second, are your accounts fully cloud based or are they hybrid synced to on-prem using Entra Connect?

 

Thanks,

 

Charlton

  • cbs-mg's avatar
    cbs-mg
    Copper Contributor
    Aug 03, 2024

    CharltonBuchanan Thanks for the Response.

     

    1. Yes all are Entra ID Accounts 

    2. No Local

    3. Hybrid - Entra Connect 

    • CharltonBuchanan's avatar
      CharltonBuchanan
      Copper Contributor
      Aug 05, 2024

      cbs-mg 

       

      In the original documentation I posted above, towards the bottom, there is a section that talks about how those instructions are for cloud-only users.

       

      This may be your problem.

       

       If you use pass-through authentication, password hash sync, or ADFS with Entra Connect, there will be a few different steps you need to follow.  The first thing I would do is check what policy is assigned to the users who are able to skip without resetting their password.  Use the PowerShell Graph commands at https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-expiration-policies

       

      Now depending on which hybrid Entra Connect method you are using, there are different steps to follow.  Use the following documentation links: If you are using https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#password-expiration-policy, https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-how-it-works#how-does-microsoft-entra-pass-through-authentication-work, or https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-whatis.  Although, it looks like if you implement pass-through authentication or ADFS, you would also have to set a GPO on your domain for password expiration.  Most articles I've seen seem to recommend using password hash sync.  If you have any other questions, let me know.  If this answers your question, please mark as best answer.

       

      Thank you,

       

      Charlton Buchanan

      • cbs-mg's avatar
        cbs-mg
        Copper Contributor
        Aug 05, 2024
        Thanks Charlton Buchanan - its a great response. Tried all these .. including the GPO for password expiration, well before posting this Q

Resources