question

TomMee-1335 avatar image
0 Votes"
TomMee-1335 asked ·

Azure AD Sync two sets of user identities and passwords

Our organization is looking to implement on-premises active directory as a single source of authority for account management. We currently have two separate accounts for each user. One account is in Azure and logs them into our services within M365.

Another separate account logs them into our on-premise domain and local applications that are not in the cloud. We have installed AD sync and have tested with a few users and it seems to be working. What we are struggling with is password sync, the current Azure password expiration policy is set to 365 days, the on-premise is set to 120 days. When a customer calls in with a password change request the service desk changes both to keep them in sync.

My question is if we sync all on-premise users to Azure AD will the Cloud password policy still come into play? My thought is that it won't, but I'm looking for confirmation from someone who may have done this. If I turn off password expiration in the cloud does that automatically lock in the existing passwords and when we sync the on-premise accounts those passwords will become the authoritative passwords and allow access to M365 services?


Thanks


azure-ad-user-management
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @TomMee-1335 , just so I can understand more thoroughly, you want the password policies on both Azure AD and your local directory to match?

My question is if we sync all on-premise users to Azure AD will the Cloud password policy still come into play?

Are you asking if the cloud settings will impact your on-premises AD? I would recommend looking into SSPR and Password Hash Sync if you haven't already as well. Please let me know if I understand correctly and I can help you further!

Best,
James


0 Votes 0 ·

1 Answer

TomMee-1335 avatar image
0 Votes"
TomMee-1335 answered ·

Hello James,

Thank you for the reply. Apologies because I didn't explain very well. I'm in a situation where my company has been creating two identities for users. One identity with password is in Azure, the second identity is On-premises AD.

I am looking to use On-Premises AD as the "source of authority" going forward. I have setup AADSync with Azure and was concerned about what will happen when I sync the on-premises account with Azure.

Will an On-premises account overwrite the cloud account making the password policy in azure invalid because they are no longer technically Azure accounts? My assumption is yes, but I was looking for confirmation before I start rolling this out.

I am matching UPN's from on-premises to azure so that I don't accidently create two accounts. We will also be implementing a weekend password change event and the expectation is that the user will have to sign in twice with their on-premises AD password for both the local profile and for their O365 application.

Thanks,
Tom

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.