Comply your AD password expiration policy with Azure AD

How does EnforceCloudPasswordPolicyForPasswordSyncedUsers policy works?

If you have an expiration policy configured in your on-premise environment, this is not synced to Azure AD. This results in the scenario where a user can continue to work and access company resources when authenticating against Azure AD, although the password has expired in the on-premise AD. If you want to be able to have the moment of expiration of both passwords in sync, you should consider implementing this feature.

Why should I use the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature?

Many organizations who are using password hash synchronization and syncing their identities from AD to Azure AD are not aware of the consequences of an expired password. The expiration policy within Azure AD should comply with your on-premise AD, therefore you need to configure the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature before it would mark a password as expired

How to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers feature?

Below you will find step-by-step guidance on how to enable and configure this feature.

  1. Run the below Powershell command to check if the feature is enabled:
Get-MsolDirSyncFeatures
If the feature is disabled you should see the above "false"value
If the feature is disabled you should see the “false” value, as is displayed in this screenshot.
  1. To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers, run the below command in your tenant:
Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers $true

By default, the value DisablePasswordExpiration is set for every synced user, which means that the password expiration does not comply with the on-premise AD policy. This results in the scenario that a user won’t be prompted to change the password when they try to access company resources.

  1. Run the below command to check which user has a password expiration set:
Get-AzureADUser | Select-Object UserPrincipalName,passwordpolicies

When you want to comply with the on-premise password expiration policy, the PasswordPolicies value should be set to None. To get this done, you should change the on-premise password of a user and start initial sync. After the sync, the value should change to “None”.

The password policy is changed to “None” because of an on-premise password change.
  1. Run the below command to change the value manually to “None” for a specific user:
Set-AzureADUser -ObjectID YourUserName -PasswordPolicies None

Important note:
If you have specific synchronized AD accounts, e.g. Service Accounts that need to have non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute.

Category: Active Directory 101, Azure