question

knopper avatar image
knopper asked ·

Password Policy in Azure AD Hybrid Identity

I am a little bit confused when it comes to password policies with hybrid identities: currently Pass-Through Authentication and PHS are in place and we are planning for SSPR. There is a domain password policy for all and a fine-grained password policy for a group of users. Password writeback is enabed and working. If a user changes their password from Office 365, will these policies be enforced? I see options in Azure AD which control smart lockout and lockout duration - which policy is the effective one when there are conflicting domain password policies? Where in Azure AD are the password complexity requirements and minimum password length set? I would be grateful if someone points me to an article or documentation which explains this in hybrid environments.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidScholtz-8004 avatar image
DavidScholtz-8004 answered ·

When a user changes a password online (from Office 365) and Pass-Through authentication is enabled the password is actually changed on the on-premises Active Directory and the local password policy applies.

Do you have any compliance policies setup in Intune ? They can enforce password policies.

https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/DeviceComplianceMainMenuViewModel/deviceConfiguration

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidScholtz-8004 avatar image
DavidScholtz-8004 answered ·

When Pass-Through Authentication is enabled passwords in stored in your on-premises Active Directory and users authenticate against your on-premises Domains controllers. The password policy that applies is the one set on your on-premises Active Directory.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

knopper avatar image
knopper answered ·

I thought so, however I have the following situation: an AD user tries to change his password online (using Change Password from Office 365) and password complexity requirements seem to be enforced even though the domain password policy (which applies to this user) does not enforce password complexity. Hence, Azure AD seems to enforce complexity before it allows the password to be changed. Why?

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

knopper avatar image
knopper answered ·

I see, thanks for this clarification. I actually checked and the minimum password age parameter was preventing the password change (it was changed earlier the same day). After enabling a mandatory password change on next login, the user was able to change to a password that is not considered strong which means that the domain policy applies. There aren't any Intune policies currently, I suppose that if they are enabled they may conflict with the domain. Thanks again!

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.