Sorry for asking again. You write user signs in with current AD creds (synced to AAD). This is normal business username/password and no WHfB which means no Pin/Passcode/Bio, therefore you can enforce the password policy imho?! AD creds are username and password. Maybe I‘m totally not getting the point but I think you are doing the normal way of logon which allows this policy. Sorry if I start the discussion again.