question

kayceec avatar image
1 Vote"
kayceec asked ajrockwellga answered

Users Password expiry notification from Azure

Hi,

Please It is possible to configure users to get Password expiry notifications,

We have Azure AD Connect configured but would like users to get notifications for Password expiry

azure-ad-user-managementazure-notification-hubs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Microsoft apparently does not care about glaring holes in features or the lack of capability to manage and maintain anything in an Enterprise environment. There are thousands of gaps in their products, hundreds of which ARE NOT addressed by third party "Partners" that they like to push as an answer.
The bottom line is something like this is a basic requirement and it is totally ignored by Microsoft. It seems it is because they feel they have everyone locked in so we have no choice. If you notice the areas where you have a choice they focus on fixing and improving. Microsoft, you are great at marketing and launching new tools and features that are half-baked and typically useless to the majority who clamor for them.
An answer like the one for this question is no answer at all when it only applies to a small percentage of your customers. Non-response to follow-up issues and questions is pure disregard for your customers.
Looks like it is time to LOCK this thread, disable user voice (oops already did that) and hide your incompetence Microsoft. That is the expected behavior you have taught us.
I rant like this to give Microsoft a wake up call, someday you won't have everyone in your grasp and the floodgates will open for your customers to move on to another platform. That time is closing in because people are tired of waiting and begging YEAR AFTER YEAR to fill the gaps and fix your bugs.

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amitmne commented

Hello @kayceec

Since you have Azure AD Connect configured to sync the User Accounts, and if you have configured Password Sync as well, you would first need to Enforce cloud password policy for Password Synced Users by using below cmdlet:

  • Run Connect-MsolService and login with Global Admin account.

  • Run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true to Enforce cloud password policy for Password Synced Users

Set the password validity period and notification days by using below cmdlet:

  • Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14

This command updates the tenant so that all users passwords expire after 60 days. The users receive notification 14 days prior to that expiry.


Please do "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @kayceec I just wanted to follow up if the above response helped. Please don't forget to Accept helpful replies as answer. Feel free to tag me in your reply if you have any question.

0 Votes 0 ·

Hello @kayceec Have you had a chance to go through this answer?

0 Votes 0 ·

Hi Amanpreet,

as you suggested this configuration, will user get password notification via email ?

0 Votes 0 ·
DyeLarry-2374 avatar image
2 Votes"
DyeLarry-2374 answered

The suggested method of enforcing the cloud password policy is not an acceptable answer for hybrid environments using PHS since the on prem password policy is what will most likely be desired; especially if you have fine grained password policies set. That means that despite years of us asking for this to be addressed the only solution to date for hybrid organizations is to either implement a custom script/scheduled task or a third party tool to fill this gap in MS Azure functionality.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnkurVeee avatar image
1 Vote"
AnkurVeee answered

Also, there may be multiple service accounts which might be present and enabling the password expiry will expire password for those Service accounts as well which will break the applications or what ever the service account is getting used for.

Is there a way to trigger the email notification to ONLY MEMBER ACCOUNTS WHICH HAS EMPLOYEE ID in their Azure AD profile?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidBycraftADM-5066 avatar image
0 Votes"
DavidBycraftADM-5066 answered

I couldn't agree more with AnkurVeee and DyeLarry-2374. What is required is a group-based notification for users whose pw's are due to expire, so pw is read from AD via AD Connect and if pwlastset attribute is < X days, send an email, potentially allow multiple emails to be send i.e. 14 days, 7 days, 1 day.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaviBowman-2353 avatar image
4 Votes"
RaviBowman-2353 answered RaviBowman-2353 published

This is 2021, we have been dealing with inefficient or non-existent password expiration notifications for too long. Someone needs to correct this basic core feature...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Mike-0310 avatar image
0 Votes"
Mike-0310 answered Mike-0310 commented

I am currently searching for a solution for this as well. I am curious if this can be a Teams notification or some other method besides an email. Anything to keep users from expecting an email to prompt them for a password reset reminder. There's enough phishing emails that do this already and training a user to look out for a legit one is just asking to have an account compromised.

The search continues..

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Any luck so far with the Teams notification at all?
I'm stuck at the exact challenge and would love to get a Teams notification.... may you could share some useful hints?
Trying to avoid banging my head against a wall to achieve this....

Cheers,
Simon

0 Votes 0 ·

Hi Simon,
Unfortunately I haven't had much more time to look into this. I am currently still in the same position but will absolutely share with you if I find something!

0 Votes 0 ·
DaveB-1199 avatar image
0 Votes"
DaveB-1199 answered HeribertoContreras-9708 commented
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Looks like the script has been re-written and moved to Github at https://gist.github.com/talzcloning/9884c37d2361b04a4040129a1a8488a5

0 Votes 0 ·
moderor avatar image
0 Votes"
moderor answered

There is a free version of ManageEngine ADSelfService Plus specifically designed for password expiry emails, it also has autoupdating feature.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Nuri-1682 avatar image
0 Votes"
Nuri-1682 answered

you could send toast notifications to the user with Proactive Remediation in Endpoint Analytics
That's what we want to test soon. ;-)

https://www.smthwentright.com/2022/03/07/password-reminder-with-proactive-remediation-for-aad-joined-devices/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajrockwellga avatar image
1 Vote"
ajrockwellga answered glegault published

It is sad that Microsoft thinks they can call Azure AD an enterprise level solution when they can't include basic, critical features like password expiration notifications in the product set. These answers that side-step the actual issue, question, and desire of customers display a true lack of customer care.

Just because some of your customers can use 3rd party solutions or devise work-arounds doesn't mean your product is providing the functionality that is needed, in fact it is not. Not everyone can utilize these outside solutions - especially not in GCC-High.

There has to be a solution that is not single focused. Why shouldn't we be able to simply enable a password reminder every x days for all cloud-based/AAD-based accounts? Why wouldn't the system enable an option to send a notification x days prior to a pw expiration on all AAD-based accounts regardless of AD Connect status?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.