SOLVED
Home

Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

Chris Parker
Contributor

To make a long story short, a colleague's password expired eight days ago in AD but he's still able to login to the O365 portal and check his email.

 

What I've discovered is that almost all my AAD accounts are set to not have password expiration. This is not true for the accounts' counterparts in AD.

 

I checked and made sure that my tenant was not set to do this automatically.

 

Is this the expected behavior?

3 Replies
Solution

No. Password synced users however are. From here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-implement-pa...

 

Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to "Never Expire". You can continue to sign in to your cloud services using a synchronized password that has been expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.

 

Thanks for the citation. But why would they do this? I don't see how this is not a huge security problem.

Not sure, guess to avoid situations in which the synced password will expire (as it's governed by the O365 policy).

Related Conversations
Accounts limit in Edge for iOS and iPadOS
Ole Thomsen in Discussions on
3 Replies
DirSync Errors
amarquez2 in Office 365 on
4 Replies
Yammer Datacenter US/EU
Joseph Demmelmaier in Yammer on
2 Replies