EnforceCloudPasswordPolicyForPasswordSyncedUser with a federated domain

RT-7199 471

We already have Password Hash sync enabled and domain is federated but EnforceCloudPasswordPolicyForPasswordSyncedUser is set to False.

Do/Can we set EnforceCloudPasswordPolicyForPasswordSyncedUser for a federated domain, to match the password policy with on-prem.

I can run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true but does that even do anything or will it create conflict if on-prem expiration policy is different for a federated domain.

Get-MsolPasswordPolicy  -DomainName "contoso.com" command doesn't work and I would assume Set-MsolPasswordPolicy would also not work.

I can however run it for "contoso.onmicrosoft.com" which is a managed domain.

If EnforceCloudPasswordPolicyForPasswordSyncedUser is not to be used on federated, what happens when user only authenticates to an Enterprise Application but does not redirect to ADFS and is authenticated by Azure AD itself but on-prem password is expired.

RT-7199 471 Reputation points

2021-10-10T02:27:42.413+00:00

Bumping it up for some answer

1 answer

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-11T14:54:57.003+00:00

Hi @RT-7199 • Thank you for reaching out. Please find my comments inline.

Do/Can we set EnforceCloudPasswordPolicyForPasswordSyncedUser for a federated domain, to match the password policy with on-prem.

EnforceCloudPasswordPolicyForPasswordSyncedUser is a tenant level setting and will apply cloud password policies to all synced users with password hash synced to cloud, regardless of whether domain is federated or not.

I can run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true but does that even do anything or will it create conflict if on-prem expiration policy is different for a federated domain.

This setting won't have any impact if users are authenticated via on-premises federation server because the password validation will not happen against Azure AD. Whenever, password is changed on-premises, password hash get synced to cloud. If you are setting EnforceCloudPasswordPolicyForPasswordSyncedUsers to true, Microsoft recommendation is to keep same password expiration value at both cloud and on-premises.

If EnforceCloudPasswordPolicyForPasswordSyncedUser is not to be used on federated, what happens when user only authenticates to an Enterprise Application but does not redirect to ADFS and is authenticated by Azure AD itself but on-prem password is expired.

When you configure Azure AD policy to perform cloud authentication for federated users for a specific enterprise application, users are not redirected to federation server and authenticate directly from Azure AD. In the scenario where password expiration policy is conflicting and user's password is expired on-premises but have not been reset yet, he/she can still login using Azure AD credentials because password validation is being performed against Azure AD and the password is expired in on-premises but not in Azure AD. This is why the best practice is to keep password expiration same and configure password writeback if you are using SSPR in Azure AD.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
RT-7199 471 Reputation points

2021-10-11T17:49:46.617+00:00

@AmanpreetSingh-MSFT Thanks for replying. The issue is when I try to run Get-MsolPasswordPolicy I get below error, which I don't get with a managed domain.

PS C:\WINDOWS\system32> Get-MsolPasswordPolicy  -DomainName "contoso.com"
Get-MsolPasswordPolicy : Unknown error occurred.
At line:1 char:1

Get-MsolPasswordPolicy  -DomainName "contoso.com"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : OperationStopped: (:) [Get-MsolPasswordPolicy], MicrosoftOnlineException

FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainOperationNotAllowedException,Microsoft.Online.Administration.Automation.GetPasswordPolicy

The set command would be used to match the password policy but how can I verify results before and after running the set command. If the Get is not working that makes me unsure of running the Set and EnforceCloudPasswordPolicyForPasswordSyncedUser commands which can effect 1000s of users we have.

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-12T06:40:02.903+00:00

@RT-7199 · This is expected in case of federated domain. The setting applies to the tenant and takes effect only when authentication is done against Azure AD and not the federation server. Which is why you get the error when you specify the federated domain in Get-MsolPassword Policy.

RT-7199 471 Reputation points

2021-10-12T07:41:09.117+00:00

@AmanpreetSingh-MSFT So how do we match the password expiration policy because on-prem doesn't match the default 90 day of Azure.

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-12T07:47:04.873+00:00

@RT-7199 · You can use below cmdlet to set cloud password policy to match with on-premises one.
Set-MsolPasswordPolicy -DomainName example.onmicrosoft.com -ValidityPeriod 60 -NotificationDays 14
Get-MsolPasswordPolicy -DomainName example.onmicrosoft.com

RT-7199 471 Reputation points

2021-10-12T15:51:36.647+00:00

@AmanpreetSingh-MSFT It feels funny like cat and mouse race. Are you saying I will be able to use the same Get-MsolPasswordPolicy command which is giving me error now and you say is expected, after I issue the Set-MsolPasswordPolicy command.

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-12T16:11:51.02+00:00

@RT-7199 · My bad, you need to use the onmicrosoft.com domain name, I have updated my comment above.

RT-7199 471 Reputation points

2021-10-12T17:12:02.937+00:00

@AmanpreetSingh-MSFT I know I am being pushy but how does this work. We are not logging to Azure Apps with onmicrosoft.com but example.com. Does that mean even when we apply the policy to onmicrosoft.com and because its PHS accounts, the policy will be applied when user logs in as user@ssss .com.

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-13T04:31:09.063+00:00

@RT-7199 · There are 2 possible scenarios here:

On the get credentials page, you enter username user@ssss .com and get redirected to on-prem federation server. In this case, on-prem password policies gets applied as the on-premises federation server validates credentials using local AD.

In some scenarios, redirection to federation server is not possible. For example, acquiring token for federated user account using ROPC flow via Postman application. In such scenarios, you have to configure Azure AD Policy (using cmdlets below) for cloud password validation rather than validating credentials of user@ssss .com via federation server. New-AzureADPolicy -Definition @(“{”HomeRealmDiscoveryPolicy”:{”AccelerateToFederatedDomain”:false, ”PreferredDomain”:”example.com”, ”AllowCloudPasswordValidation”:true}}”) -DisplayName ROPC4ADFS -Type HomeRealmDiscoveryPolicy

Add-AzureADServicePrincipalPolicy -Id < objectId_of_the_service_principal > -RefObjectId < objectId_of_the_policy >

In this case, as the password validation is done by Azure AD, the cloud password policies get applied.

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-14T06:27:32.843+00:00

@RT-7199 · Just checking if above comment answered your query. Please let me know if you have any further question.

RT-7199 471 Reputation points

2021-10-15T15:30:14.777+00:00

@AmanpreetSingh-MSFT Password policies I agree are used that of on-prems like length and complexity. But from what I understand from Microsoft documentation password expiration is separate, which is what we are trying to fix here.

So I have an Azure AD salesforce app and I login to it as user@ssss .com and do not getting redirected to ADFS.
The password expiration policy for such logins, would it be governed by what we set on the onmicrosoft.com with Set-MsolPasswordPolicy?

In below example I login as PHS user and the domain is federated but we are not redirected to ADFS.

AmanpreetSingh-MSFT 56,311 Reputation points

2021-10-19T09:25:51.713+00:00

@RT-7199 · Yes, the password expiration policy for such logins, would be governed by what is set on the onmicrosoft.com with Set-MsolPasswordPolicy.

RT-7199 471 Reputation points

2021-10-28T22:00:21.64+00:00

@AmanpreetSingh-MSFT I finally got to work this out with management approval.

I picked a ExpiredAccount with expired password and I was able to login with office.com as we have staged rollout enabled for this ExpiredAccount and we were able to authenticate.
Then I ran Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true and afterwards Set-MsolPasswordPolicy  -DomainName "example.onmicrosoft.com" -ValidityPeriod 180 -NotificationDays 30 as our on-prem domain is set for 180 days.

Why was ValidityPeriod showing such a large number before?

Get-MsolPasswordPolicy  -DomainName "example.onmicrosoft.com" | fl

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
NotificationDays : 30
ValidityPeriod : 2147483647

Then lastly I changed the password for the expired account and within a minute the PasswordPolicy changed to None.

(Get-AzureADUser -objectID ExpiredAccount@exampple.com).passwordpolicies
None

Get-MsolPasswordPolicy -DomainName example.onmicrosoft.com

ExtensionData NotificationDays ValidityPeriod

-------------
---------------- --------------
System.Runtime.Serialization.ExtensionDataObject 30 180

Why does it say None and what is the meaning of it.
Sign in to comment