AD connect - Password expiration notification

%3CLINGO-SUB%20id%3D%22lingo-sub-654328%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20connect%20-%20Password%20expiration%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-654328%22%20slang%3D%22en-US%22%3EAll%20depends%20if%20you%20use%20pass%20through%20authentication%20or%20not.%20If%20not%20then%20passwords%20won%E2%80%99t%20expire%20in%20365%20since%20the%20auth%20never%20hits%20the%20onprem%20server%20that%20checks%20that.%20Azure%20AD%20has%20its%20own%20password%20policy%20settings.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20use%20pass%20through%20thou.%20They%20will%20expire%20since%20your%20local%20ad%20servers%20are%20doing%20the%20auth.%20For%20365.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-654384%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20connect%20-%20Password%20expiration%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-654384%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20clarify%20on%20what%20Chris%20wanted%20to%20say%20if%20you%20use%20password%20hash%20sync%2C%20the%20cloud%20password%20is%20set%20to%20never%20expire%2C%20and%20the%20users%20will%20still%20be%20able%20to%20login.%20If%20you%20don't%20have%20password%20hash%20sync%20configured%2C%20or%20if%20you%20are%20using%20pass-through%20auth%2C%20it%20will%20not%20work%20once%20the%20password%20is%20expired.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20notification%20about%20password%20expiration%20will%20also%20depend%20on%20the%20configuration%2C%20and%20generally%20you%20can%20consider%20it%20as%20%22not%20reliable%22.%20Use%20a%20custom%20notification%20script%20instead%2C%20there%20are%20many%20examples%20available%20online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-654047%22%20slang%3D%22en-US%22%3EAD%20connect%20-%20Password%20expiration%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-654047%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20have%20O365%20users%20who%20are%20dependent%20on%20local%20AD-%20AD%20connect.%3C%2FP%3E%3CP%3Ethey%20do%20not%20use%20their%20account%20to%20login%20to%20AD%2FWindows%20but%20uses%20UPN%20and%20AD%20password%20as%20authentication%20to%20O365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20happens%20if%20the%2090%20day%20password%20expiration%20in%20local%20AD%20kicks%20in%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20can%20users%20still%20login%20to%20O365%3F%3C%2FP%3E%3CP%3E2.%20how%20can%20users%20in%20O365%20be%20notified%20that%20their%20password%20in%20Local%20AD%20is%20about%20to%20expire%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-654047%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Super Contributor

we have O365 users who are dependent on local AD- AD connect.

they do not use their account to login to AD/Windows but uses UPN and AD password as authentication to O365.

 

what happens if the 90 day password expiration in local AD kicks in?

 

1. can users still login to O365?

2. how can users in O365 be notified that their password in Local AD is about to expire?

2 Replies
Highlighted
All depends if you use pass through authentication or not. If not then passwords won’t expire in 365 since the auth never hits the onprem server that checks that. Azure AD has its own password policy settings.

If you use pass through thou. They will expire since your local ad servers are doing the auth. For 365.
Highlighted

To clarify on what Chris wanted to say if you use password hash sync, the cloud password is set to never expire, and the users will still be able to login. If you don't have password hash sync configured, or if you are using pass-through auth, it will not work once the password is expired. 

 

The notification about password expiration will also depend on the configuration, and generally you can consider it as "not reliable". Use a custom notification script instead, there are many examples available online.