Password Hash Sync already deployed... enabling EnforceCloudPasswordPolicyForPasswordSyncedUsers

Ed 46 Reputation points
2021-02-22T20:55:52.027+00:00

Greetings.

We have used Password Hash Sync for years now without writeback because we didn't had the needed licensing.

We recently got the needed licensing and now we are working with the local policy for password expiration and the password not expiring in Azure/M365.

According to Microsoft's documentation, we need to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers so users have their password never expires policy removed in Azure whenever a user's password hash is synchronized.

If I understood the documentation correctly, if we enable EnforceCloudPasswordPolicyForPasswordSyncedUsers, then after the password expires on premises and is reset locally the hash synch will set the user's PasswordNeverExpires value to $False and the user's password will expire in the time set in Azure's policy.

We matched Azure's password expiration policy to match our local password expiration policy.

We also have password writeback configured and working without issues.

Are we in the correct path?

Thanks for your time.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,693 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-02-23T05:31:48.557+00:00

    Hi @Ed · Thank you for reaching out.

    Yes, you are on correct path.

    Enabling EnforceCloudPasswordPolicyForPasswordSyncedUsers will remove password never expires policy in Azure. If you have some specific synced users with non-expiring passwords in Azure AD, you need to use below cmdlet:
    Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"

    Matching Azure AD and On-premises AD password expiration policy and password writeback ensures consistency between both environments for Password Expiry.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ed 46 Reputation points
    2021-02-23T12:36:28.983+00:00

    Thank you @AmanpreetSingh-MSFT for your reply.

    I have a list of users to run the cmdlet you provided in order to ensure consistency.

    Now I have to make everyone aware of the SSPR availability in Azure before enabling the option.

    Thank you again for your reply.

    0 comments
  2. Nirav 26 Reputation points
    2022-09-01T17:16:19.177+00:00

    Hi @Ed I have a question if you don't mind please. We also have the password hash sync enabled for quite a while and need to enable password writeback and SSPR but we do have some account whose password are set not to expire in our on-premise AD. I'm not sure what I need to do first out of the following steps or in which order, can you please provide guidance since you have already done it successfully?

    1. Enable Password Writeback
    2. Enable Enforce Cloud Password Policy for password synced users
      Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers and the following command provided by @AmanpreetSingh-MSFT Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"
    3. Enable and configure SSPR

    Thank you for your time and effort.