PHS remote users change password

%3CLINGO-SUB%20id%3D%22lingo-sub-2652971%22%20slang%3D%22en-US%22%3EPHS%20remote%20users%20change%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2652971%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%3C%2FP%3E%3CP%3EWe%20are%20currently%20in%20a%20hybrid%20PHS%20environment.%20We%20have%20SSPR%20turned%20on%20and%20its%20working.%20What%20i%20am%20trying%20to%20understand%20is%20how%20do%20we%20get%20%22work%20from%20home%20users%22%20to%20update%20their%20password%3F%20If%20they%20never%20log%20into%20the%20onprem%20domain%2C%20then%20the%20flag%26nbsp%3B%E2%80%9CDisablePasswordExpiration%E2%80%9D%26nbsp%3B%20will%20never%20be%20removed%20from%20the%20Azure%20AD%20account.%20Any%20advice%20is%20greatly%20appreciated%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2652971%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2653090%22%20slang%3D%22en-US%22%3ERe%3A%20PHS%20remote%20users%20change%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2653090%22%20slang%3D%22en-US%22%3EHi%2C%20have%20a%20look%20at%20the%20%22EnforceCloudPasswordPolicyForPasswordSyncedUsers%22.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%23enforcecloudpasswordpolicyforpasswordsyncedusers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%23enforcecloudpasswordpolicyforpasswordsyncedusers%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2653095%22%20slang%3D%22en-US%22%3ERe%3A%20PHS%20remote%20users%20change%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2653095%22%20slang%3D%22en-US%22%3EIts%20already%20turned%20on%2C%20but%20the%20flag%20%E2%80%9CDisablePasswordExpiration%E2%80%9D%20on%20the%20user%20account%20doesnt%20get%20removed%20until%20the%20user%20first%20changes%20their%20password%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2653132%22%20slang%3D%22en-US%22%3ERe%3A%20PHS%20remote%20users%20change%20password%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2653132%22%20slang%3D%22en-US%22%3EI%20suppose%20you%20didn't%20enable%20it%20before%20enabling%20PHS%20then.%20And%20this%20is%20configured%20as%20well%3F%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Ftutorial-enable-sspr-writeback%23enable-password-writeback-for-sspr%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Ftutorial-enable-sspr-writeback%23enable-password-writeback-for-sspr%3C%2FA%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hello all

We are currently in a hybrid PHS environment. We have SSPR turned on and its working. What i am trying to understand is how do we get "work from home users" to update their password? If they never log into the onprem domain, then the flag “DisablePasswordExpiration”  will never be removed from the Azure AD account. Any advice is greatly appreciated .

8 Replies
Hi, have a look at the "EnforceCloudPasswordPolicyForPasswordSyncedUsers".

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...
Its already turned on, but the flag “DisablePasswordExpiration” on the user account doesnt get removed until the user first changes their password
I suppose you didn't enable it before enabling PHS then. And this is configured as well? https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writebac...
PHS was enabled first, then we turned on "DisablePasswordExpiration". We have SSPR turned on, and password writeback, but allow "users to unlock accounts without resetting their password" is off. Again what i am trying to understand is how can i handle all of my work from home users ? considering they will never change there password because they never log into the onprem domain

@Skipster311-1 As PHS was enabled before the EnforceCloudPasswordPolicyForPasswordSyncedUsers shouldn't forcing a password change solve this scenario considering you already have (1) enabled password writeback in Azure AD Connect and (2) password writeback for SSPR and (3) enabled the EnforceCloudPasswordPolicyForPasswordSyncedUsers (they now comply with Azure AD password expiration policy). When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well. Hence the DisablePasswordExpiration value [should] be removed from PasswordPolicies during the next password hash sync.

 

Just thinking out loud here, haven't used PHS..

 

@Thijs Lecomte Any input here?

 

 

I understand what you are saying. i can send out a company email to all remote users to update their password, but i am relying on them to actually follow the instructions and request, which is not always a simple process. I'm assuming i can force the remote users to change their password by removing the "DisablePasswordExpiration" from the account, which would immediately expire the password based on the current age of the users password
Hi Skip,

I have written a blogpost in the past about this feature, let me know if you still have some questions after reading the blog article: https://www.bilalelhaddouchi.nl/index.php/2020/09/24/comply-your-ad-password-expiration-policy-with-...
What do you mean by "hybrid PHS environment"? Are your users devices Azure AD Hybrid Joined or Azure AD Joined? Is your domain managed or federated? How do they normally change their passwords? Ctrl-Alt-Del?