Azure AD: User can login even if their password has expired

Sim1S 106 Reputation points
2021-06-03T14:34:38.343+00:00

Hello everyone,

As the title suggests, lately I've been notified about some issues with Azure AD and user password expiration. Namely, even though the password expiration timer is 90 days, some users can still login to their accounts after password expiration. Now, I'm pretty new to Azure AD, so I wanted to verify some things before getting my hands dirty.

First of all, since I've been notified about this but I want to dig deeper, I'd like to ask:

1) How can I verify which users have their password expired and are still able to log on to their account? The "smartest" (and I can't stress "smartest" enough) way I could figure out was:

  • Check which users have a LastPasswordChangeTimestamp older than 90 days
  • Check on their user blade on Azure AD and see their latest activity

As you can guess, this process was way too slow (and frustrating).

Then, according to this article, it could be a problem related to users who only use the Outlook application. Hence, my question:

2) How can I verify whether users with expired password (and still able to login) are only using the Outlook app? In other words, how can I verify whether this is the case mentioned in the article?

The second most common issue when addressing this problem is whether you have an Azure tenant joint with Azure AD Connect, although this is not the case, as every user is a cloud only user in this infrastructure.

I can't think of anything more to add, so please, let me know whether you need more information.

A kind regard to everyone,
Sim

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,548 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 21,776 Reputation points Microsoft Employee
    2021-06-03T22:14:42.043+00:00

    Hi @Sim1S , my colleague @AmanpreetSingh-MSFT recently answered a thread here that I think could help you a lot. The most common reason for this issue is that usually that the password expiration is only applying to the cloud users or that PasswordNeverExpire is set to True. Changing these settings will fix your users being able to log in after their passwords expire. And if this works it should eliminate the need for what you asked in questions 1 and 2. If it doesn't work for you please let me know and I can look into it more. If you're still curious about how you can accomplish what you asked please let me know and I can look into it and give you an answer :)

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,
    James

  2. Dheeraj Sharma 1 Reputation point
    2021-10-19T14:37:58.48+00:00
    0 comments