Impact with Password Policy when we disable AADConnect Dirsync

%3CLINGO-SUB%20id%3D%22lingo-sub-1973954%22%20slang%3D%22en-US%22%3EImpact%20with%20Password%20Policy%20when%20we%20disable%20AADConnect%20Dirsync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1973954%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20plan%20to%20disable%20AADconnect%20dirsync%20to%20go%20full%20cloud%20and%20use%20only%20Azure%20AD.%3C%2FP%3E%3CP%3EThis%20domain%20use%20a%20very%20%22light%22%20password%20policy%2C%20less%20restrictive%20than%20Azure%20AD%20%3A%3C%2FP%3E%3CP%3E%3CU%3EAD%20OnPrem%20%3A%3C%2FU%3E%3C%2FP%3E%3CP%3E-%20Complexity%20%3A%20Disabled%3C%2FP%3E%3CP%3E-%20Min%20lenght%20%3A%206%20characters%3C%2FP%3E%3CP%3E-%20Max%20password%20age%20%3A%2090%20days.%3C%2FP%3E%3CP%3EMost%20user%20on%20AD%20OnPrem%20have%20password%20set%20to%20%22never%20expire%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Azure%20AD%2C%20we%20use%20the%20global%20setting%20%22password%20never%20expire%22%20and%20default%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EQuestions%20%3A%3C%2FU%3E%3C%2FP%3E%3CUL%20class%3D%22lia-list-style-type-square%22%3E%3CLI%3EWith%20the%20Azure%20AD%20global%20setting%20%22password%20never%20expire%22%20%3A%20when%20all%20users%20go%20%22Cloud%20Only%22%20there%20will%20be%20no%20impact%2C%20right%20%3F%20Even%20if%20they%20have%20only%20a%206%20characters%20password%20without%20complexity%20%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%20class%3D%22lia-list-style-type-square%22%3E%3CLI%3EIf%20we%20use%20Azure%20AD%20global%20setting%20with%20an%20password%20expiration%20policy%20(like%2090%20days)%3A%3CUL%3E%3CLI%3EFor%20user%20without%20previous%20%22password%20never%20expire%22%20on%20AD%20OnPrem%20%3A%20Password%20will%20expire%2090%20days%20after%20the%20user%20has%20been%20marked%20%22Cloud%20Only%22%20(With%20the%20deactivation%20AADconnect%20sync).%3C%2FLI%3E%3CLI%3EFor%20user%20with%20previous%20%22password%20never%20expire%22%20on%20AD%20OnPrem%3A%20They%20will%20have%20no%20issue.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20right%3F%3C%2FP%3E%3CP%3EThanks%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1973954%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzureAD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%20policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1974802%22%20slang%3D%22en-US%22%3ERe%3A%20Impact%20with%20Password%20Policy%20when%20we%20disable%20AADConnect%20Dirsync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1974802%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20doesnt%20really%20care%20what%20the%20on-premises%20expiration%20settings%20were%2C%20only%20the%20cloud-side%20one%20will%20take%20effect.%20As%20to%20complexity%2Flength%20requirement%2C%20you%20might%20need%20to%20toggle%20the%20%22StrongPasswordRequired%22%20flag%20off.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1976874%22%20slang%3D%22en-US%22%3ERe%3A%20Impact%20with%20Password%20Policy%20when%20we%20disable%20AADConnect%20Dirsync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976874%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3EThanks%20Vasil%20for%20your%20answer.%3C%2FP%3E%3CP%3EI%20think%20you%20have%20only%20answered%20one%20question%20%3B).%3C%2FP%3E%3CP%3EDo%20you%20have%20information%20on%20other%20questions%20below%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20we%20switch%20to%20full%20cloud%20users%2C%20the%20password%20policy%20for%20all%20users%20will%20change%2C%20and%20we%20don't%20want%20to%20lower%20the%20Azure%20AD%20password%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EThe%20question%20is%20more%20about%20%3A%3C%2FU%3E%3C%2FP%3E%3CUL%3E%3CLI%3EAfter%20disabled%20AADConnect%20dirsync%2C%20when%20all%20users%20are%20set%20to%20%22Cloud%20Only%22%20there%20will%20be%20no%20impact%2C%20right%20%3F%3CUL%3E%3CLI%3ENo%20impact%20when%20user%20authenticate%20to%20Azure%20AD%20with%20a%20password%20not%20matching%20the%20minimum%20requirements%20of%20new%20Azure%20AD%20Password%20policy%20%3F%20Like%20a%20previous%20password%20set%20with%20only%206%20characters%20password%20without%20complexity.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIf%20we%20set%20Azure%20AD%20global%20setting%20with%20an%20password%20expiration%20policy%20(like%2090%20days)%3A%3C%2FP%3E%3CUL%3E%3CLI%3EFor%20user%20without%20previous%20%22password%20never%20expire%22%20on%20AD%20OnPrem%20(After%20the%20deactivation%20of%20AADconnect%20sync)%20%3A%3CUL%3E%3CLI%3EPassword%20will%20expire%2090%20days%20after%20the%20user%20has%20been%20marked%20%22Cloud%20Only%22%3F%3C%2FLI%3E%3CLI%3Eor%20does%20Azure%20AD%20keep%20the%20%22password%20last%20set%20%22%20from%20previous%20AD%20OnPrem%20%3F%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EFor%20user%20with%20previous%20%22password%20never%20expire%22%20on%20AD%20OnPrem%3A%3CUL%3E%3CLI%3E%3CU%3EYour%20Answer%20%3A%3C%2FU%3E%20This%20setting%20is%20not%20keep%20from%20previous%20sync%20with%20AADConnect%3CUL%3E%3CLI%3ESo%20all%20AzureAD%20user%20will%20apply%20a%20password%20with%20exipration%2C%20and%20we%20need%20to%20set%20again%20%22password%20never%20expire%22%20on%20each%20user%20that%20need%20this%20setting%20%3F%20with%20%3A%20%3CSPAN%3E%3CSPAN%20class%3D%22hljs-pscommand%22%3ESet-AzureADUser%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-ObjectId%3C%2FSPAN%3E%20XXX%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-PasswordPolicies%3C%2FSPAN%3E%20DisablePasswordExpiration%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2008141%22%20slang%3D%22en-US%22%3ERe%3A%20Impact%20with%20Password%20Policy%20when%20we%20disable%20AADConnect%20Dirsync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2008141%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F681969%22%20target%3D%22_blank%22%3E%40SRPfr%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWould%20someone%20have%20perhaps%20more%20informations%20about%20the%20impact%20with%20Password%20Policy%20when%20we%20disable%20AADConnect%20Dirsync.%3C%2FP%3E%3CP%3EThanks%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi  all,

 

We plan to disable AADconnect dirsync to go full cloud and use only Azure AD.

This domain use a very "light" password policy, less restrictive than Azure AD :

AD OnPrem :

- Complexity : Disabled

- Min lenght : 6 characters

- Max password age : 90 days.

Most user on AD OnPrem have password set to "never expire".

 

On Azure AD, we use the global setting "password never expire" and default settings.

 

Questions :

  • With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ? Even if they have only a 6 characters password without complexity ?

 

  • If we use Azure AD global setting with an password expiration policy (like 90 days):
    • For user without previous "password never expire" on AD OnPrem : Password will expire 90 days after the user has been marked "Cloud Only" (With the deactivation AADconnect sync).
    • For user with previous "password never expire" on AD OnPrem: They will have no issue.

 

I'm right?

Thanks !

3 Replies

Azure AD doesnt really care what the on-premises expiration settings were, only the cloud-side one will take effect. As to complexity/length requirement, you might need to toggle the "StrongPasswordRequired" flag off.

@Vasil MichevThanks Vasil for your answer.

I think you have only answered one question ;).

Do you have information on other questions below?

 

After we switch to full cloud users, the password policy for all users will change, and we don't want to lower the Azure AD password policy.

 

The question is more about :

  • After disabled AADConnect dirsync, when all users are set to "Cloud Only" there will be no impact, right ?
    • No impact when user authenticate to Azure AD with a password not matching the minimum requirements of new Azure AD Password policy ? Like a previous password set with only 6 characters password without complexity.

If we set Azure AD global setting with an password expiration policy (like 90 days):

  • For user without previous "password never expire" on AD OnPrem (After the deactivation of AADconnect sync) :
    • Password will expire 90 days after the user has been marked "Cloud Only"?
    • or does Azure AD keep the "password last set " from previous AD OnPrem ?
  • For user with previous "password never expire" on AD OnPrem:
    • Your Answer : This setting is not keep from previous sync with AADConnect
      • So all AzureAD user will apply a password with exipration, and we need to set again "password never expire" on each user that need this setting ? with : Set-AzureADUser -ObjectId XXX -PasswordPolicies DisablePasswordExpiration

Thanks !

@SRPfr 

Hi,

Would someone have perhaps more informations about the impact with Password Policy when we disable AADConnect Dirsync.

Thanks !