cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

Chris Parker
Iron Contributor

‎Dec 01 2016 03:11 PM

‎Dec 01 2016 03:11 PM

Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

To make a long story short, a colleague's password expired eight days ago in AD but he's still able to login to the O365 portal and check his email.

 

What I've discovered is that almost all my AAD accounts are set to not have password expiration. This is not true for the accounts' counterparts in AD.

 

I checked and made sure that my tenant was not set to do this automatically.

 

Is this the expected behavior?

1,460 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by VI_Migration (Silver Contributor)
Vasil Michev

‎Dec 01 2016 11:35 PM

‎Dec 01 2016 11:35 PM

Solution

Re: Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

No. Password synced users however are. From here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-implement-pa...

 

Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to "Never Expire". You can continue to sign in to your cloud services using a synchronized password that has been expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.

 

1 Like
Reply
Chris Parker

‎Dec 02 2016 08:00 AM

‎Dec 02 2016 08:00 AM

Re: Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

Thanks for the citation. But why would they do this? I don't see how this is not a huge security problem.

0 Likes
Reply
Vasil Michev

‎Dec 02 2016 11:11 AM

‎Dec 02 2016 11:11 AM

Re: Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

Not sure, guess to avoid situations in which the synced password will expire (as it's governed by the O365 policy).

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Vasil Michev

‎Dec 01 2016 11:35 PM

‎Dec 01 2016 11:35 PM

Solution

Re: Are dirsync'ed accounts automatically set to not have their passwords expire in AAD?

No. Password synced users however are. From here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-implement-pa...

 

Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to "Never Expire". You can continue to sign in to your cloud services using a synchronized password that has been expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.

 

View solution in original post

1 Like
Reply