Hi @Swati Arora • Thank you for reaching out.
Considering local password policies takes precedence over Azure AD password policies, why users are not getting password expiration notifications?
Local password policies takes precedence over Azure AD password policies when SSPR and Password Writeback is enabled. For on-premises users, with password hash synchronization enabled, the cloud account password is set to Never Expire by default. Which means, if the password is expired in your on-premises environment, users can still sign in to cloud applications by using the synchronized password that is expired in on-premises AD. Password gets updated in Azure AD, the next time user changes his/her password in the on-premises environment. This is why users don't get password expiry notification before the password expiration in Local AD. However, in this case you may consider setting Azure AD password expiration and expiry notification same as your on-premises AD by using below command:
Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName "example.com"
And then use following cmdlet to apply the same cloud password policy to synced users as well:
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
Read more: Password policy considerations
Also, what if we want to enable Azure AD SSPR and also enable password writeback feature in Azure AD Connect to achieve SSPR. Does that work seamlessly or there is any unexpected/unusual behavior?
As of now, there are no known issues with Azure AD SSPR and Password Writeback feature and it is safe to implement these features.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.