cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Impact with Password Policy when we disable AADConnect Dirsync

SRPfr
Copper Contributor

‎Dec 09 2020 03:38 PM - last edited on ‎Jan 14 2022 04:00 PM by

‎Dec 09 2020 03:38 PM - last edited on ‎Jan 14 2022 04:00 PM by

Impact with Password Policy when we disable AADConnect Dirsync

Hi  all,

 

We plan to disable AADconnect dirsync to go full cloud and use only Azure AD.

This domain use a very "light" password policy, less restrictive than Azure AD :

AD OnPrem :

- Complexity : Disabled

- Min lenght : 6 characters

- Max password age : 90 days.

Most user on AD OnPrem have password set to "never expire".

 

On Azure AD, we use the global setting "password never expire" and default settings.

 

Questions :

  • With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ? Even if they have only a 6 characters password without complexity ?

 

  • If we use Azure AD global setting with an password expiration policy (like 90 days):
    • For user without previous "password never expire" on AD OnPrem : Password will expire 90 days after the user has been marked "Cloud Only" (With the deactivation AADconnect sync).
    • For user with previous "password never expire" on AD OnPrem: They will have no issue.

 

I'm right?

Thanks !

1,047 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Dec 09 2020 11:31 PM

‎Dec 09 2020 11:31 PM

Re: Impact with Password Policy when we disable AADConnect Dirsync

Azure AD doesnt really care what the on-premises expiration settings were, only the cloud-side one will take effect. As to complexity/length requirement, you might need to toggle the "StrongPasswordRequired" flag off.

0 Likes
Reply
SRPfr

‎Dec 10 2020 08:51 AM

‎Dec 10 2020 08:51 AM

Re: Impact with Password Policy when we disable AADConnect Dirsync

@Vasil MichevThanks Vasil for your answer.

I think you have only answered one question ;).

Do you have information on other questions below?

 

After we switch to full cloud users, the password policy for all users will change, and we don't want to lower the Azure AD password policy.

 

The question is more about :

  • After disabled AADConnect dirsync, when all users are set to "Cloud Only" there will be no impact, right ?
    • No impact when user authenticate to Azure AD with a password not matching the minimum requirements of new Azure AD Password policy ? Like a previous password set with only 6 characters password without complexity.

If we set Azure AD global setting with an password expiration policy (like 90 days):

  • For user without previous "password never expire" on AD OnPrem (After the deactivation of AADconnect sync) :
    • Password will expire 90 days after the user has been marked "Cloud Only"?
    • or does Azure AD keep the "password last set " from previous AD OnPrem ?
  • For user with previous "password never expire" on AD OnPrem:
    • Your Answer : This setting is not keep from previous sync with AADConnect
      • So all AzureAD user will apply a password with exipration, and we need to set again "password never expire" on each user that need this setting ? with : Set-AzureADUser -ObjectId XXX -PasswordPolicies DisablePasswordExpiration

Thanks !

0 Likes
Reply
SRPfr

‎Dec 21 2020 03:51 PM

‎Dec 21 2020 03:51 PM

Re: Impact with Password Policy when we disable AADConnect Dirsync

@SRPfr 

Hi,

Would someone have perhaps more informations about the impact with Password Policy when we disable AADConnect Dirsync.

Thanks !

0 Likes
Reply