When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises password expires.
Is there a way that we can enforce Office 365 users to change password in Local AD once the password expiration in local AD is enforced
Hello @SonalGunasekera-5133,
Thanks for reaching out.
Yes, If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire. You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.
To avoid such situations, you can the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and update the Azure AD password policy to match On-premises AD password expiry policy. For an example the default Azure AD password policy requires users to change their passwords every 90 days. If your policy in AD is also 90 days, the two policies should match. If the AD policy is not 90 days, you can update the Azure AD password policy to match by using the Set-MsolPasswordPolicy PowerShell command.
In this instance, the password expiry for On-premises and Azure AD will be the same, therefore users will need to change their password when it expires. However, Synchronized users won't be able change their password from Azure AD until you enabled Enable Azure Active Directory self-service password reset writeback to an on-premises environment otherwise user has to change their password from on-premises and wait for new Password Hash to get synchronized to Azure AD.
Note: Once EnforceCloudPasswordPolicyForPasswordSyncedUsers feature enabled, Azure AD does not go to each synchronized user to remove the Never Expire(DisablePasswordExpiration) value from the PasswordPolicies attribute. Instead, the Never Expire(DisablePasswordExpiration) value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.
For additional information, see what is the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature. I hope this was helpful.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @sikumars-msft,
Thanks a lot for the comment. Just one clarification,
lets say on-prem password policy is set for 90 days and we are on 45th day today and we enable EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and update the Azure AD password policy to match On-premises AD password expiry policy (90days) what will happen?
Does on prem password policy count the dates from 45th day until 90 or it gets reset to 0? if it counts from 45th day onwards then azure AD password policy date count would be 1 then the issue arise when on prem reach 90 days azure AD will be still on 45th
Can you please explain this?
Hello SonalGunasekera-5133,
Please refer this link for your answer by lucafabbri365 replied to ThomasK007
https://techcommunity.microsoft.com/t5/office-365/password-expiration-with-aad-connect-password-hash-sync/m-p/329248
I hope this will give your answer.
Regards
Anand S
2 people are following this question.
