Password Expiration with AAD connect Password hash sync

%3CLINGO-SUB%20id%3D%22lingo-sub-329248%22%20slang%3D%22en-US%22%3EPassword%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329248%22%20slang%3D%22en-US%22%3E%3CP%3E%3CBR%20%2F%3EWhen%20Password%20Sync%20is%20enabled%2C%20the%20cloud%20password%20for%20a%20synchronized%20user%20is%20set%20to%20%E2%80%9Cnever%20expires%E2%80%9D.%20This%20means%20that%20the%20password%20synchronized%20to%20the%20cloud%20is%20still%20valid%20after%20the%20on-premises%20password%20expires.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20see%20scenarios%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CP%3E%3CSTRONG%3EITEM%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3E%3CSTRONG%3EUSER%20ACTION%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3E%3CSTRONG%3EEffect%20in%20Password%20in%20Office%20365%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E120-day%20password%20expiry%20in%20Local%20AD%20was%20enforced%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EUser%20changed%20password%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CUL%3E%3CLI%3EThe%20new%20password%20hash%20will%20be%20synched%20to%20Office%20365%3C%2FLI%3E%3CLI%3EUser%20can%20login%20to%20Office%20365%3C%2FLI%3E%3C%2FUL%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E120-day%20password%20expiry%20in%20Local%20AD%20was%20enforced%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EUser%20did%20not%20change%20password%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CUL%3E%3CLI%3EThe%20Old%20Password%20hash%20is%20still%20synced%20and%20cached%20to%20Azure%20AD%3C%2FLI%3E%3CLI%3EUser%20can%20login%20to%20Office%20365%3C%2FLI%3E%3CLI%3ENo%20prompt%20in%20Office%20365%20that%20the%20Local%20AD%20password%20needs%20to%20be%20changed%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20that%20we%20can%20enforce%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20force%20Office%20365%20users%20to%20change%20password%20in%20Local%20AD%20once%20the%20password%20expiration%20in%20local%20AD%20is%20enforced%3C%2FP%3E%3CP%3E-%20disable%20users%20in%20office%20365%20if%20the%20password%20in%20local%20AD%20is%20expired%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-329248%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329621%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329621%22%20slang%3D%22en-US%22%3EOr%20also%20switch%20over%20to%20a%20pass-through%20authentication%20model.%20This%20was%20your%20auth%20gets%20passed%20via%20agent%20to%20have%20your%20AD%20do%20the%20auth.%20This%20will%20follow%20all%20local%20AD%20rules.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-pta-quick-start%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-pta-quick-start%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329469%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329469%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20certainly%20create%20some%20script%20or%20custom%20AAD%20Connect%20rules%20to%20disable%20the%20user%20upon%20password%20expiration%2C%20or%20force%20a%20password%20change%20in%20O365.%20But%20there%20is%20no%20out%20of%20the%20box%20solution%2C%20if%20that's%20what%20you%20ask%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824462%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824462%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F61448%22%20target%3D%22_blank%22%3E%40Marvin%20Oco%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EI%20noticed%20MS%20is%20working%20to%20find%20the%20better%20solution%20about%20this%20(link%3A%20%3CA%20title%3D%22Allow%20password%20expiration%20policy%20to%20sync%20from%20on-prem%20AD%20to%20Azure%20AD%22%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F18367720-allow-password-expiration-policy-to-sync-from-on-p%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAllow%20password%20expiration%20policy%20to%20sync%20from%20on-prem%20AD%20to%20Azure%20AD%3C%2FA%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAt%20meanwhile%2C%20even%20if%20%3CEM%3EPasswordNeverExpires%3DTrue%3C%2FEM%3Ewhen%20password%20sync%20is%20enabled%20(AADConnect)%2C%20however%2C%20Azure%20let%20change%20the%20attribute%20to%20False%20via%20PowerShell%2C%20can%20it%20be%20considered%20a%20workaround%3F%20Will%20it%20inherit%20the%20password%20expiration%20policy%20set%20in%20Azure%20AD%2C%20then%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhat%20about%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ELuca%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1427468%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1427468%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20investigating%20into%20this%20situation%20a%20bit%20and%20upon%20finding%20this%20thread%20-%20I%20thought%20it%20might%20be%20good%20to%20update%20it.%20Microsoft%20has%20added%20a%20feature%20in%20public%20preview%20where%20you%20can%20turn%20on%20password%20expiration%20when%20using%20the%20password%20hash%20synchronization%20scenario.%20Bad%20news%20however.%20documentation%20recommends%20that%20this%20be%20turned%20on%20before%20password%20sync%20is%20turned%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%23public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%23public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I've%20seen%20comments%20in%20the%20user%20voice%20post%20Luca%20referenced%20saying%20that%20people%20have%20contacted%20MS%20support%20and%20have%20received%20other%20ways%20to%20work%20around%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1427851%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1427851%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F228093%22%20target%3D%22_blank%22%3E%40Timothy%20Balk%3C%2FA%3E%2C%3C%2FP%3E%3CP%3Ewell%2C%20we%20implemented%20the%20%3CEM%3EEnforceCloudPasswordPolicyForPasswordSyncedUsers%3C%2FEM%3E%20feature%20time%20ago%2C%20and%20set%20the%20same%20password%20expiration%20policy%20like%20on-premise%20AD%20(90%20days%3CSTRONG%3E*%3C%2FSTRONG%3E)%20but%20unfortunately%2C%20it%20was%20enabled%20with%26nbsp%3B%3CSPAN%3Epassword%20hash%20sync%20already%20in%20place%3B%20so%20every%20time%20a%20new%20user%20is%20synced%20to%20Azure%20AD%20(initial%20sync%20of%20password)%20the%26nbsp%3B%3CSTRONG%3EPasswordPolicies%3C%2FSTRONG%3E%20attribute%20is%20set%20to%20%3CEM%3EDisablePasswordExpiration%3C%2FEM%3E%20value%20by%20default.%20The%20(manual)%20solution%20is%20to%20change%20it%20via%20PowerShell%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESingle%20user%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-AzureADUser%20-ObjectId%20%3CUSER%20id%3D%22%22%3E%20-PasswordPolicies%20None%3C%2FUSER%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20bulk%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-AzureADUser%20-All%20%24true%20%7C%20Set-AzureADUser%20-PasswordPolicies%20None%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20Microsoft%20can%20find%20a%20more%20flexible%20way%20to%20manage%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E*%3C%2FSTRONG%3E%20%3CEM%3E-%20There%20is%20a%20limit%20when%20there%20are%20multiple%20on-premise%20AD%20domains%20with%20different%20password%20expiration%20policy%2C%20all%20syncing%20with%20same%20Azure%20AD%20tenant%20through%20AAD%20Connect%20and%20sharing%20the%20same%20registered%20domain.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1468083%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1468083%22%20slang%3D%22en-US%22%3EJust%20to%20be%20sure%3A%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20the%20on-premise%20password%20expiration%20policy%20is%20set%20to%2090%20days%20and%20the%20Azure%20AD%20policy%20is%20also%20set%20to%2090%20days%2C%20the%20password%20expires%20at%20the%20same%20time%20for%20on-premise%20and%20in%20the%20cloud%2C%20regardless%20when%20the%20Azure%20AD%20policy%20pwd%20is%20set%20to%20on%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1471095%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Expiration%20with%20AAD%20connect%20Password%20hash%20sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1471095%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F701057%22%20target%3D%22_blank%22%3E%40ThomasK007%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EI%20try%20to%20give%20you%20a%20detailed%20answer.%3C%2FP%3E%3CP%3EUntil%20you%20have%20the%26nbsp%3B%3CEM%3EEnforceCloudPasswordPolicyForPasswordSyncedUsers%3C%2FEM%3E%26nbsp%3B%3CSTRONG%3Edisabled%3C%2FSTRONG%3E%20(which%20is%20the%20default)%2C%20an%20Azure%20AD%20user%20coming%20from%20on-premise%20AD%20(synced%20by%20AAD%20Connect)%20has%20its%20account%20password%20set%20to%20%3CSTRONG%3ENever%20Expire%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3E%3CSTRONG%3EPassword%20expiration%20policy%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EI%3C%2FFONT%3E%3CEM%3E%3CFONT%20color%3D%22%23FF0000%22%3Ef%20a%20user%20is%20in%20the%20scope%20of%20password%20hash%20synchronization%2C%20by%20default%20the%20cloud%20account%20password%20is%20set%20to%20Never%20Expire%3C%2FFONT%3E.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EYou%20can%20continue%20to%20sign%20in%20to%20your%20cloud%20services%20by%20using%20a%20synchronized%20password%20that%20is%20expired%20in%20your%20on-premises%20environment.%20Your%20cloud%20password%20is%20updated%20the%20next%20time%20you%20change%20the%20password%20in%20the%20on-premises%20environment.%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EReference%3A%26nbsp%3B-ERR%3AREF-NOT-FOUND-Implement%20password%20hash%20synchronization%20with%20Azure%20AD%20Connect%20sync%26nbsp%3B%7C%20Microsoft%20Docs%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20%3CSTRONG%3Eenable%26nbsp%3B%3C%2FSTRONG%3Ethe%26nbsp%3B%3CEM%3EEnforceCloudPasswordPolicyForPasswordSyncedUsers%3C%2FEM%3E%26nbsp%3Bfeature%20and%20set%20the%20%3CSTRONG%3EPasswordPolicies%20%3C%2FSTRONG%3Eattribute%20to%20%3CEM%3ENone%3C%2FEM%3E%20(instead%20of%26nbsp%3B%3CEM%3EDisablePasswordExpiration)%3C%2FEM%3E%2C%20the%20expiration%20time%20for%20an%20Azure%20AD%20user%20should%20be%20calculated%20referring%20to%20read-only%20attribute%26nbsp%3B%3CSTRONG%3ELastPasswordChangeTimestamp%26nbsp%3B%3C%2FSTRONG%3E(you%20can%20retrieve%20it%20by%20using%20the%20%3CEM%3EGet-MsolUser%3C%2FEM%3E%20cmdlet)%2C%20depending%20on%20expiration%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20if%20you%20have%20AAD%20Connect%20with%20password%20hash%20sync%2C%20same%20password%20expiration%20policy%20set%20on%20both%20Azure%20AD%20and%20on-premise%20AD%20(e.g.%2090%20days)%2C%20every%20time%20a%20password%20is%20changed%20on-premise%20AD%2C%20%3CSTRONG%3Epwdlastset%3C%2FSTRONG%3E%20attribute%20is%20updated%2C%20the%20password%20itself%20synced%20with%20Azure%20AD%20and%20the%20%3CSTRONG%3ELastPasswordChangeTimestamp%3C%2FSTRONG%3E%26nbsp%3Bupdates%20accordingly%20-%20so%20they%20both%20expires%20at%20same%20time%20(maybe%20few%26nbsp%3B%20minutes%20off)%3B%20if%20you%20also%20have%20the%20password%20writeback%20functionality%20in%20place%20(%3CEM%3Elink%3A%26nbsp%3B-ERR%3AREF-NOT-FOUND-How%20does%20self-service%20password%20reset%20writeback%20work%20in%20Azure%20Active%20Directory%3F%20%7C%20Microsoft%20Docs%3C%2FEM%3E)%20the%20behavior%20described%20above%20works%20when%20the%20password%20is%20change%20from%20Azure%20AD%20and%20synced%20back%20to%20on-premise%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20should%20be%20right%20(please%2C%20can%20someone%20else%20confirm%20that%20%3F)%3C%2FP%3E%3CP%3EI%20hope%20I%20was%20clear.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBye%2C%3C%2FP%3E%3CP%3ELuca%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor


When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises password expires.

 

Please see scenarios below:

 

ITEM

USER ACTION

Effect in Password in Office 365

120-day password expiry in Local AD was enforced

User changed password

  • The new password hash will be synched to Office 365
  • User can login to Office 365

120-day password expiry in Local AD was enforced

User did not change password

  • The Old Password hash is still synced and cached to Azure AD
  • User can login to Office 365
  • No prompt in Office 365 that the Local AD password needs to be changed

 

 

Is there a way that we can enforce the following:

 

- force Office 365 users to change password in Local AD once the password expiration in local AD is enforced

- disable users in office 365 if the password in local AD is expired

 

thanks

 

7 Replies
Highlighted

You can certainly create some script or custom AAD Connect rules to disable the user upon password expiration, or force a password change in O365. But there is no out of the box solution, if that's what you ask for.

Highlighted
Or also switch over to a pass-through authentication model. This was your auth gets passed via agent to have your AD do the auth. This will follow all local AD rules.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start
Highlighted

Hello @Marvin Oco,

I noticed MS is working to find the better solution about this (link: Allow password expiration policy to sync from on-prem AD to Azure AD).

 

At meanwhile, even if PasswordNeverExpires=True when password sync is enabled (AADConnect), however, Azure let change the attribute to False via PowerShell, can it be considered a workaround? Will it inherit the password expiration policy set in Azure AD, then ?

 

What about ?

 

Thank you,

Luca

Highlighted

I was investigating into this situation a bit and upon finding this thread - I thought it might be good to update it. Microsoft has added a feature in public preview where you can turn on password expiration when using the password hash synchronization scenario. Bad news however. documentation recommends that this be turned on before password sync is turned on.

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...

 

Also, I've seen comments in the user voice post Luca referenced saying that people have contacted MS support and have received other ways to work around this.

Highlighted

Hello @Timothy Balk,

well, we implemented the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature time ago, and set the same password expiration policy like on-premise AD (90 days*) but unfortunately, it was enabled with password hash sync already in place; so every time a new user is synced to Azure AD (initial sync of password) the PasswordPolicies attribute is set to DisablePasswordExpiration value by default. The (manual) solution is to change it via PowerShell:

 

Single user:

 

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

 

In bulk:

 

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

 

I hope Microsoft can find a more flexible way to manage it.

 

* - There is a limit when there are multiple on-premise AD domains with different password expiration policy, all syncing with same Azure AD tenant through AAD Connect and sharing the same registered domain.

Highlighted
Just to be sure:

When the on-premise password expiration policy is set to 90 days and the Azure AD policy is also set to 90 days, the password expires at the same time for on-premise and in the cloud, regardless when the Azure AD policy pwd is set to on?

Thanks
Highlighted

@ThomasK007,

I try to give you a detailed answer.

Until you have the EnforceCloudPasswordPolicyForPasswordSyncedUsers disabled (which is the default), an Azure AD user coming from on-premise AD (synced by AAD Connect) has its account password set to Never Expire.

 

"Password expiration policy

If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment."

 

Reference: Implement password hash synchronization with Azure AD Connect sync | Microsoft Docs

 

Once you enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and set the PasswordPolicies attribute to None (instead of DisablePasswordExpiration), the expiration time for an Azure AD user should be calculated referring to read-only attribute LastPasswordChangeTimestamp (you can retrieve it by using the Get-MsolUser cmdlet), depending on expiration policy.

 

Now if you have AAD Connect with password hash sync, same password expiration policy set on both Azure AD and on-premise AD (e.g. 90 days), every time a password is changed on-premise AD, pwdlastset attribute is updated, the password itself synced with Azure AD and the LastPasswordChangeTimestamp updates accordingly - so they both expires at same time (maybe few  minutes off); if you also have the password writeback functionality in place (link: How does self-service password reset writeback work in Azure Active Directory? | Microsoft Docs) the behavior described above works when the password is change from Azure AD and synced back to on-premise AD.

 

It should be right (please, can someone else confirm that ?)

I hope I was clear.

 

Bye,

Luca