Password Policy in Azure AD Hybrid Identity

Yordan Yordanov 466 Reputation points
2020-04-11T10:16:14.157+00:00

I am a little bit confused when it comes to password policies with hybrid identities: currently Pass-Through Authentication and PHS are in place and we are planning for SSPR. There is a domain password policy for all and a fine-grained password policy for a group of users. Password writeback is enabed and working. If a user changes their password from Office 365, will these policies be enforced? I see options in Azure AD which control smart lockout and lockout duration - which policy is the effective one when there are conflicting domain password policies? Where in Azure AD are the password complexity requirements and minimum password length set? I would be grateful if someone points me to an article or documentation which explains this in hybrid environments.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
0 comments
Accepted answer
  1. David Scholtz 86 Reputation points
    2020-04-11T13:50:58.347+00:00

    When a user changes a password online (from Office 365) and Pass-Through authentication is enabled the password is actually changed on the on-premises Active Directory and the local password policy applies.

    Do you have any compliance policies setup in Intune ? They can enforce password policies.

    https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/DeviceComplianceMainMenuViewModel/deviceConfiguration

    2 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Scholtz 86 Reputation points
    2020-04-11T13:09:48.33+00:00

    When Pass-Through Authentication is enabled passwords in stored in your on-premises Active Directory and users authenticate against your on-premises Domains controllers. The password policy that applies is the one set on your on-premises Active Directory.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works

    0 comments
  2. Yordan Yordanov 466 Reputation points
    2020-04-11T13:15:04.177+00:00

    I thought so, however I have the following situation: an AD user tries to change his password online (using Change Password from Office 365) and password complexity requirements seem to be enforced even though the domain password policy (which applies to this user) does not enforce password complexity. Hence, Azure AD seems to enforce complexity before it allows the password to be changed. Why?

    0 comments
  3. Yordan Yordanov 466 Reputation points
    2020-04-11T14:13:56.39+00:00

    I see, thanks for this clarification. I actually checked and the minimum password age parameter was preventing the password change (it was changed earlier the same day). After enabling a mandatory password change on next login, the user was able to change to a password that is not considered strong which means that the domain policy applies. There aren't any Intune policies currently, I suppose that if they are enabled they may conflict with the domain. Thanks again!

    0 comments