SOLVED

Enable Password Never Expires

Contributor

Hello,

 

Kindly i need to know if we enable password never expires from office365 portal, how it will affect on premises users if we are in hybrid environement?

 

Regards,

 

 

6 Replies
are using the password hash sync with Azure AD Connect ?
Pass Through Authentication but if its a hash what will be the difference?

The PTA and Hash are totally different. PTA authentication if the user password expired on-prem the cloud user will not able to sign as always the validation happen through the PTA agent. for the password hash sync , please see scenarios below :

 

when the hash of the users is synced to azure , the user in the cloud is set to password never expired 

Please see scenarios below:

 

ITEM

USER ACTION

Effect in Password in Office 365

120-day password expiry in Local AD was enforced

User changed password

  • The new password hash will be synched to Office 365
  • User can login to Office 365

120-day password expiry in Local AD was enforced

User did not change password

  • The Old Password hash is still synced and cached to Azure AD
  • User can login to Office 365
  • No prompt in Office 365 that the Local AD password needs to be changed

 

Thanks for the reply so if we have pass through authentication what should i do to enable password never expires for users as a best practices?.
best response confirmed by ElieAT (Contributor)
Solution
with PTA always your user rely on your on-prem AD authentication. Even if you set your password never expired on Azure AD and the password is expired on-prem the user will be blocked. the best practice for your case is to switch to password hash sync. if you need to keep the PTA scenario than an alternative solution is to enable the password write back feature so the user will have the ability to change or reset his password and the password will be synced back the AD on-prem.

Refer to the below link to see how you can enable the password write back feature

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writebac...
Appreciate your help