I was investigating into this situation a bit and upon finding this thread - I thought it might be good to update it. Microsoft has added a feature in public preview where you can turn on password expiration when using the password hash synchronization scenario. Bad news however. documentation recommends that this be turned on before password sync is turned on.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron...

Also, I've seen comments in the user voice post Luca referenced saying that people have contacted MS support and have received other ways to work around this.

Hello @Timothy Balk,

well, we implemented the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature time ago, and set the same password expiration policy like on-premise AD (90 days*) but unfortunately, it was enabled with password hash sync already in place; so every time a new user is synced to Azure AD (initial sync of password) the PasswordPolicies attribute is set to DisablePasswordExpiration value by default. The (manual) solution is to change it via PowerShell:

Single user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

In bulk:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

I hope Microsoft can find a more flexible way to manage it.

* - There is a limit when there are multiple on-premise AD domains with different password expiration policy, all syncing with same Azure AD tenant through AAD Connect and sharing the same registered domain.

@ThomasK007,

I try to give you a detailed answer.

Until you have the EnforceCloudPasswordPolicyForPasswordSyncedUsers disabled (which is the default), an Azure AD user coming from on-premise AD (synced by AAD Connect) has its account password set to Never Expire.

"Password expiration policy

If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment."

Reference: Implement password hash synchronization with Azure AD Connect sync | Microsoft Docs

Once you enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and set the PasswordPolicies attribute to None (instead of DisablePasswordExpiration), the expiration time for an Azure AD user should be calculated referring to read-only attribute LastPasswordChangeTimestamp (you can retrieve it by using the Get-MsolUser cmdlet), depending on expiration policy.

Now if you have AAD Connect with password hash sync, same password expiration policy set on both Azure AD and on-premise AD (e.g. 90 days), every time a password is changed on-premise AD, pwdlastset attribute is updated, the password itself synced with Azure AD and the LastPasswordChangeTimestamp updates accordingly - so they both expires at same time (maybe few  minutes off); if you also have the password writeback functionality in place (link: How does self-service password reset writeback work in Azure Active Directory? | Microsoft Docs) the behavior described above works when the password is change from Azure AD and synced back to on-premise AD.

It should be right (please, can someone else confirm that ?)

I hope I was clear.

Bye,

Luca

@lucafabbri365 Great explanation.

If a company usees Fine-grained Password Policy to apply different password expiration policies inside the same AD domain - would that still work out with Azure AD?

Hello @Thomas Kofler,

yours is a good question.

Well, Fine-grained Password Policy is supported by Azure Active Directory Domain Services (Azure AD DS) for sure. Azure AD DS integrates with existing Azure AD tenant, but is a different service.

Definition
"Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud."

References

• Fine-grained password policy support in Azure AD DS (Microsoft Azure)
• What is Azure Active Directory Domain Services? (Microsoft Docs)
• Password and account lockout policies on Azure Active Directory Domain Services managed domains (Microsoft Docs)

Instead, we are speaking about password expiration on Azure AD tenant.

This post On-premise Password policy & Azure AD Password policy (Visual Studio forums) treats the same argument: basically, you can define a password policy per custom domain in Azure AD.

I think the logic is the same I described previously: it depends on the password policy set for the custom domain where Azure AD user belongs and the password policy set for the same user, on-premise: if they match the behavior is the same (password will expire at same time), otherwise they will have different expiration time.

Please, let me know if it's clear, or I can write down some practical examples.

Bye,

Luca

Hi@lucafabbri365,

We have similar issue and it's a major security concern. Now my infosec team wants to get rid of expired passwords should get block.

As i said am planning to run below command for entire Organization.

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

Is it going to impact the users which are already logged into the mailboxes, cloud apps, on-prem custom apps when we run the above command.

Any help really appreciated.