Microsoft
Microsoft
MicrosoftHi Junior049 ,
As you describe, it's a bit painful to produce a deterministic phased outcome when it comes to rolling a password change across your entire user base. Flipping the switch from Audit to Enforce has no effect on the expiration time of the existing passwords in your directory. Azure AD Password Protection does not attempt to influence or control password expiration times. So the only time the new Enforce mode actually has any impact or effect is when a user changes their password.
I’d suggest taking a look at the expiration time distribution of the currently stored passwords of your users. While there may be some clustering on certain days of the week (eg, Mondays) I would expect a fairly even distribution of expected pwd expirations across your current 105 day expiration window. With that in mind, one approach would be to flip to Enforce but leave your 105 days max-pwd-age policy as-is. You would then simply wait out the subsequent 105 days as the users change their passwords day-by-day and week-by-week. There will likely be some non-zero extra support costs during this time as users find that their favorite weak passwords are now getting rejected. (At least the support costs are spread out across time though.) At the end of that 105 days – ie, after all your users have gone through at least one password change with Enforce enabled – you can then change max-pwd-age to the new desired (longer) period.
If waiting 105 days is too long, then you can drive things faster with a bit more work: first flip to Enforce mode, then manually set the “User must change password at next logon” flag on a selected set of accounts every day or every week. This approach will still incur some level of expected increased support costs of course.
I’m not sure how the “mobile” aspect of your user base affects this discussion – it sounds like you’ve already trained your users to change their passwords every 105 days, so if you choose to force them to change early that should not be a never-before-seen event, even for mobile users. Please clarify if I’ve misunderstood some part of the mobile aspect.
The other thing we’ve recommended is some level of pre-education of users before you flip to Enforce mode. I’ll admit I don’t have any data that would say how effective such education might be, but a broad company-wide “heads-up about upcoming stricter password enforcement” email might help to reduce support costs (and I don't see how it could hurt). We have some previously published guidance here: Microsoft Password Guidance
Anyway, these are just some approaches I came up with off the top of my head. I know AADPP doesn’t do anything specifically to assist in the rollout, but on the other hand you can already control most of the rollout timing using existing Active Directory tooling.
I hope this helps,
Jay
