question

CroTeam-5177 avatar image
0 Votes"
CroTeam-5177 asked CroTeam-5177 commented

Sync ad password policy to azure ad

Hi all,

We have a requirement to sync our local ad password policy to azure ad so if the local pass policy has pass expiration date 60 days we want to match that with azure so that all cloud pass also expire at the same time. We are using password hash sync.

I am aware of the feature called EnforceCloudPasswordPolicyForPasswordSyncedUsers

My question is: If we enable this and if we match local pass policy with azure ad (If I change azure ad policy to 60 days), what will happen when user change his password locally? Will that sync and reset the timer of the cloud account or it will ask user to change cloud pass as well before 60 days?

Second questions is: Do we need to implement SSPR when we activate this feature or it works without?

Goal is to change pass locally and to update pass and reset the timer on the azure ad account.




windows-active-directoryazure-ad-connectazure-ad-tenantazure-ad-password-hash-sync
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CroTeam-5177 I am looking into this, will update shortly.

1 Vote 1 ·

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@CroTeam-5177 If you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers, that would enforce cloud password policy on synced users as well. this is recommended if users are accessing only cloud resources and we don't care about on-premises resources and password expiry that happens at on-premises AD.

With this, when user change the password locally, the password would be synced to Azure AD. Lastpassword changed time would be reset and no password change would be prompted by Azure AD till we reach 60 days or so. If password change at on-prem AD before they hit 60days mark, this process will keep repeating.
But if it was not changed at on-prem and when user access cloud resource after 60 days, user would be prompted to change password. With password writeback enabled, this would be written back to AD, this doesn't require SSPR, only password writeback has to be enabled.

If the user are going to change their password always locally at AD, then everything is taken care of. But the passwords by default on cloud doesn't expire
So after 60days when password expire at AD, it doesn't expire at Azure AD, you need to do the steps here to expire the password for the user at Azure AD as
https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide#set-a-password-to-expire



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CroTeam-5177 I wanted to follow up and know if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·