Hello DFI community !
I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following:
- Remove the attribute 'password never expires' from accounts in your domain
- Manage accounts with passwords more than 180 days old
- Do not expire passwords
Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive.
If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up.
How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ?
I'm a bit confused...What am i missing ?
Any help would be much appreciated.
