AzureAD Password Policy impact after moving from AADConnec sync to Full cloud

%3CLINGO-SUB%20id%3D%22lingo-sub-2030438%22%20slang%3D%22en-US%22%3EAzureAD%20Password%20Policy%20impact%20after%20moving%20from%20AADConnec%20sync%20to%20Full%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2030438%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-subject-wrapper%20lia-component-subject%20lia-component-message-view-widget-subject-with-options%22%3E%3CDIV%20class%3D%22MessageSubject%22%3E%3CDIV%20class%3D%22MessageSubjectIcons%20%22%3EHi%26nbsp%3B%20all%2C%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-body%20lia-component-message-view-widget-body%20lia-component-body-signature-highlight-escalation%20lia-component-message-view-widget-body-signature-highlight-escalation%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20plan%20to%20disable%20AADconnect%20dirsync%20to%20go%20full%20cloud%20and%20use%20only%20Azure%20AD.%3C%2FP%3E%3CP%3EAD%20OnPrem%20domain%20use%20a%20very%20%22light%22%20password%20policy%2C%20less%20restrictive%20than%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EAD%20OnPrem%3A%3C%2FU%3E%3C%2FP%3E%3CP%3E-%20Complexity%20%3A%20Disabled%3C%2FP%3E%3CP%3E-%20Minimum%20password%20lenght%20%3A%206%20characters%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EOn%20Azure%20AD%3A%3C%2FU%3E%3C%2FP%3E%3CP%3E-%20Complexity%20%3A%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E-%20Minimum%20password%20lenght%20%3A%20%3CSTRONG%3E8%20characters%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E-%20We%20use%20the%20global%20setting%20%22password%20never%20expire%22%20and%20default%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EQuestion%3A%3C%2FU%3E%3C%2FP%3E%3CP%3EWith%20the%20Azure%20AD%20global%20setting%20%22password%20never%20expire%22%20%3A%20when%20all%20users%20go%20%22Cloud%20Only%22%20there%20will%20be%20no%20impact%2C%20right%20%3F%3C%2FP%3E%3CP%3EEven%20if%20they%20have%20only%20a%206%20characters%20password%20without%20complexity%2C%20they%20can%20continue%20to%20use%20this%20password%20with%20an%20Azure%20AD%20cloud%20only%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20!%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2030438%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAADConnect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPassword%20Expiration%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%20policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2030977%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20Password%20Policy%20impact%20after%20moving%20from%20AADConnec%20sync%20to%20Full%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2030977%22%20slang%3D%22en-US%22%3EHi%2C%20when%20leaving%20AAD%20Connect%20and%20being%20cloud-only%20the%20Azure%20AD%20password%20policy%20is%20applied%20(to%20all%20user%20accounts%20that%20are%20created%20and%20managed%20directly%20in%20Azure%20AD).%20That%20is%2C%20it%20will%20take%20precedence%20and%20you%20must%20meet%20the%20policy%20requirements%20minimum%20of%208%20characters.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2032065%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20Password%20Policy%20impact%20after%20moving%20from%20AADConnec%20sync%20to%20Full%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2032065%22%20slang%3D%22en-US%22%3EYes%2C%20it%20forces%20them%20to%20change%20to%20at%20least%208%20to%20comply%20with%20AAD.%3CBR%20%2F%3E%3CBR%20%2F%3EGood%20luck!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2032068%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20Password%20Policy%20impact%20after%20moving%20from%20AADConnec%20sync%20to%20Full%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2032068%22%20slang%3D%22en-US%22%3EYes%20this%20is%20right%2C%20but%20%3A%3CBR%20%2F%3E-%20what%20will%20be%20the%20impact%20for%20user%20when%20he%20connect%20the%20first%20time%20with%20the%20cloud-only%20the%20Azure%20AD%20account%2C%20with%20a%206%20characters%20password%20and%20the%20Tenant%20set%20with%20%C2%AB%26nbsp%3Bpassword%20never%20expire%26nbsp%3B%C2%BB%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIt%E2%80%99s%20like%20an%20AD%20Onprem%20password%20policy%20%3F%20%3A%20Password%20Policy%20only%20evaluated%20when%20the%20password%20is%20changed%20or%20expired%20%3F%3CBR%20%2F%3E-%26gt%3B%20so%20no%20impact%20for%20user%20connexion%20even%20if%20the%20current%20password%20don%E2%80%99t%20meet%20the%20AzureAD%20password%20policy%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2032069%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20Password%20Policy%20impact%20after%20moving%20from%20AADConnec%20sync%20to%20Full%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2032069%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20but%20when%20they%20will%20be%20forced%20to%20change%20the%20password%20if%20Tenant%20is%20set%20with%20%C2%AB%20password%20never%20expire%20%C2%BB%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3E-%20what%20will%20be%20the%20impact%20for%20user%20when%20he%20connect%20the%20first%20time%20with%20the%20cloud-only%20the%20Azure%20AD%20account%2C%20with%20a%206%20characters%20password%20and%20the%20Tenant%20set%20with%20%C2%AB%20password%20never%20expire%20%C2%BB%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIt%E2%80%99s%20like%20an%20AD%20Onprem%20password%20policy%20%3F%20%3A%20Password%20Policy%20only%20evaluated%20when%20the%20password%20is%20changed%20or%20expired%20%3F%3CBR%20%2F%3E-%26gt%3B%20so%20no%20impact%20for%20user%20connexion%20even%20if%20the%20current%20password%20don%E2%80%99t%20meet%20the%20AzureAD%20password%20policy%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
Hi  all,

 

We plan to disable AADconnect dirsync to go full cloud and use only Azure AD.

AD OnPrem domain use a very "light" password policy, less restrictive than Azure AD.

 

AD OnPrem:

- Complexity : Disabled

- Minimum password lenght : 6 characters

 

On Azure AD:

- Complexity : Enabled

- Minimum password lenght : 8 characters

- We use the global setting "password never expire" and default settings.

 

Question:

With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ?

Even if they have only a 6 characters password without complexity, they can continue to use this password with an Azure AD cloud only account?

 

Thanks !

7 Replies
Hi, when leaving AAD Connect and being cloud-only the Azure AD password policy is applied (to all user accounts that are created and managed directly in Azure AD). That is, it will take precedence and you must meet the policy requirements minimum of 8 characters.
Yes, it forces them to change to at least 8 to comply with AAD.

Good luck!
Moe
Yes this is right, but :
- what will be the impact for user when he connect the first time with the cloud-only the Azure AD account, with a 6 characters password and the Tenant set with « password never expire » ?

It’s like an AD Onprem password policy ? : Password Policy only evaluated when the password is changed or expired ?
-> so no impact for user connexion even if the current password don’t meet the AzureAD password policy ?

Yes but when they will be forced to change the password if Tenant is set with « password never expire » ?

- what will be the impact for user when he connect the first time with the cloud-only the Azure AD account, with a 6 characters password and the Tenant set with « password never expire » ?

It’s like an AD Onprem password policy ? : Password Policy only evaluated when the password is changed or expired ?
-> so no impact for user connexion even if the current password don’t meet the AzureAD password policy ?

Hi, enable SSPR while you’re at it. As for the password if it doesn't meet the policy requirements, the user is prompted to try again.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

Thanks @ChristianBergstrom for your answer.

Do you meen "If the password doesn't meet the policy requirements, the user is prompted to try again " : at the user connexion ?

My question is only related to user connexion, because password policy is set to never expire.

I haven't seen any Microsoft document that indicates that the password need to meet the AzureAD password policy at the user connexion.

 

For me the AAD password policy work like AD password policy : the password policy evaluation is made only when a user change the password, not at the connexion.

Did you have perhaps a reference?

 

We will activate SSPR only after the Tenant will be full cloud, but all users will not be complient, and want to minimize the impact when Tenant will switch to full cloud.

As far as I know it doesn’t matter if it’s set to never expire if the password doesn’t comply with the Azure AD password policy character requirements that’s assigned to all users being created in Azure AD. Even at the first connection, as the user objects are already there with the policy assigned.

How about opening a ticket with Microsoft support for an official response to ease your mind?