Forum Discussion
Password Expiration with AAD connect Password hash sync
Hello TimLB,
well, we implemented the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature time ago, and set the same password expiration policy like on-premise AD (90 days*) but unfortunately, it was enabled with password hash sync already in place; so every time a new user is synced to Azure AD (initial sync of password) the PasswordPolicies attribute is set to DisablePasswordExpiration value by default. The (manual) solution is to change it via PowerShell:
Single user:
Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
In bulk:
Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
I hope Microsoft can find a more flexible way to manage it.
* - There is a limit when there are multiple on-premise AD domains with different password expiration policy, all syncing with same Azure AD tenant through AAD Connect and sharing the same registered domain.
We have similar issue and it's a major security concern. Now my infosec team wants to get rid of expired passwords should get block.
As i said am planning to run below command for entire Organization.
Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
Is it going to impact the users which are already logged into the mailboxes, cloud apps, on-prem custom apps when we run the above command.
Any help really appreciated.