Microsoft Intune - Password Expiry/Reset

Question

Folks -&nbsp;We've unique scenario where end users are skipping the password reset after the default expiry for example 90 days.&nbsp;How can we enforce users to change within 90 days or change on the expiry day itself without skipping?Is there any way to ensure that no user shall use the system without resetting the password with the maximum age of 90 or 91 days at the most?&nbsp;Best&nbsp;CBS

charlton828 · Answer

cbs-mg&nbsp;Hello.&nbsp; Microsoft technically recommends against password expiration; however, this doc has the proper process for https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide. Is this the process you followed?&nbsp; Also here is another link with some https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-expiration-policies.&nbsp;&nbsp;&nbsp;Thanks,&nbsp;Charlton Buchanan

cbs-mg · Answer

charlton828&nbsp;- Thanks for the Response.&nbsp;We follow all the guidelines mentioned in those two articles. Let me explain the trouble with an example.&nbsp;Users John, Grace and Mary are all having password complexity enabled and set to expire the password for 90 days using the password policy. Lets say, all three enrolled into Entra ID on 26th of April 2024. Now by default password expiry is for 90 days so by 25th July 2024, their passwords will expire and will ask to reset.&nbsp;&nbsp;Grace have reset her password without skipping however, John and Mary due to some reasons, they keep skipping the password reset popup and keep working on their regular tasks.&nbsp;&nbsp;Now in this case, as the password reset was not done, if we push any other policies on 26th July, both Mary and John machines wont be able to get the policies pushed as the password reset is pending; similarly all the new policies which are being pushed will be in QUEUE waiting for the password to reset and get a manual Sync from the device.&nbsp;Now, we are looking for:&nbsp;1. How to ensure that no user can skip the password reset beyond the expiry period i.e. 90 days?&nbsp;2. If there is way to identify such users?3. What are the current best practices around in this topic?&nbsp;Appreciated!&nbsp;

charltonbuchanan · Answer

cbs-mgJust to verify, your accounts are all Entra ID accounts, not local? Second, are your accounts fully cloud based or are they hybrid synced to on-prem using Entra Connect?

Thanks,

Charlton

cbs-mg · Answer

CharltonBuchanan&nbsp;Thanks for the Response.&nbsp;1. Yes all are Entra ID Accounts&nbsp;2. No Local3. Hybrid - Entra Connect&nbsp;

charltonbuchanan · Answer

cbs-mg&nbsp;&nbsp;In the original documentation I posted above, towards the bottom, there is a section that talks about how those instructions are for cloud-only users.&nbsp;This may be your problem.&nbsp;&nbsp;If you use pass-through authentication, password hash sync, or ADFS with Entra Connect, there will be a few different steps you need to follow.&nbsp; The first thing I would do is check what policy is assigned to the users who are able to skip without resetting their password.&nbsp; Use the PowerShell Graph commands at https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-expiration-policies&nbsp;Now depending on which hybrid Entra Connect method you are using, there are different steps to follow.&nbsp; Use the following documentation links: If you are using https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#password-expiration-policy, https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-how-it-works#how-does-microsoft-entra-pass-through-authentication-work, or https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-whatis.&nbsp; Although, it looks like if you implement pass-through authentication or ADFS, you would also have to set a GPO on your domain for password expiration.&nbsp; Most articles I've seen seem to recommend using password hash sync.&nbsp; If you have any other questions, let me know.&nbsp; If this answers your question, please mark as best answer.&nbsp;Thank you,&nbsp;Charlton Buchanan

Forum Discussion

Microsoft Intune - Password Expiry/Reset

7 Replies

Resources