cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring Password Expiration Policy with Password Hash Sync

yzgulec
Copper Contributor

‎Sep 15 2020 10:10 AM

‎Sep 15 2020 10:10 AM

Configuring Password Expiration Policy with Password Hash Sync

We are using Password Hash Sync to sync users from on-prem to o365. I try to enable password expiration on O365 so I used below command to enable it without any problem:

 

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true

 

As a second step, I need to set PasswordPolicy to None for synchronized users using below command:

 

Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq 'DisablePasswordExpiration' } | ForEach-Object {Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None}

 

I get below error message when I try to set PasswordPolicies parameter to None.

 

Set-AzureADUser : Error occurred while executing SetUser
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects
currently undergoing migration.
RequestId: 8ff45ed7-829d-4357-a6a6-f35e72ebb326
DateTimeStamp: Tue, 15 Sep 2020 15:43:37 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:68

 

How can I set this parameter to none so that I can disable "Password Never Expire" feature for synced users.

 

Below, you may find references I use to set this option:

 

https://evotec.xyz/azuread-enable-password-expiration-with-password-hash-synchronization/

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...

Labels:
3,763 Views
0 Likes
2 Replies
Reply
2 Replies
ChristianBergstrom

‎Sep 16 2020 02:17 AM

‎Sep 16 2020 02:17 AM

Re: Configuring Password Expiration Policy with Password Hash Sync

@yzgulec Hi, as far as I understand that is set to "none" by default when using EnforceCloudPasswordPolicyForPasswordSyncedUsers

 

"Once enabled, Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the value is set to None during the next password sync for each user when they next change their password in on-premises AD. "

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...

0 Likes
Reply
yzgulec

‎Sep 16 2020 03:47 AM

‎Sep 16 2020 03:47 AM

Re: Configuring Password Expiration Policy with Password Hash Sync

@ChristianBergstrom Thanks for reply.

 

I tested and noticed that when user changes on-prime password and synced to O365, the "PasswordPolicies" attribute becomes "None" (Exactly same as stated "Instead, the value is set to None during the next password sync for each user when they next change their password in on-premises AD. ")

 

But I couldn't manage the change it manually by using PS commands. 

0 Likes
Reply