question

SwatiArora-4767 avatar image
0 Votes"
SwatiArora-4767 asked amanpreetsingh-msft edited

Password Policy Hybrid Join Devices

Hi All,

Just need a bit clarity on password policies for hybrid joined devices.

Azure AD Connect is in place with password hash synchronization.

Considering local password policies takes precedence over Azure AD password policies, why users are not getting password expiration notifications ?

Also, what if we want to enable Azure AD SSPR and also enable password writeback featire in Azure AD Connect to achieve SSPR. Does that work seamlessly or there is any unexpected/unusual behavior ?

Thanks

azure-ad-connectazure-ad-hybrid-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @SwatiArora-4767 • Thank you for reaching out.

Considering local password policies takes precedence over Azure AD password policies, why users are not getting password expiration notifications?

Local password policies takes precedence over Azure AD password policies when SSPR and Password Writeback is enabled. For on-premises users, with password hash synchronization enabled, the cloud account password is set to Never Expire by default. Which means, if the password is expired in your on-premises environment, users can still sign in to cloud applications by using the synchronized password that is expired in on-premises AD. Password gets updated in Azure AD, the next time user changes his/her password in the on-premises environment. This is why users don't get password expiry notification before the password expiration in Local AD. However, in this case you may consider setting Azure AD password expiration and expiry notification same as your on-premises AD by using below command:

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName "example.com"

And then use following cmdlet to apply the same cloud password policy to synced users as well:

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

Read more: Password policy considerations

Also, what if we want to enable Azure AD SSPR and also enable password writeback feature in Azure AD Connect to achieve SSPR. Does that work seamlessly or there is any unexpected/unusual behavior?

As of now, there are no known issues with Azure AD SSPR and Password Writeback feature and it is safe to implement these features.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.