We have a password expiration policy set in Entra ID that forces users to change password every 90 days, but we have a subset of users with expired passwords that are not being prompted to update.

Question

It seems that there is some commonality in the successful authentications which is that they are signing into application title: Apple Internet Accounts per sign in logs. Client app is Mobile Apps and Desktop Clients in same log. Curious if there is something going on with authenticating against this that does not trigger the expired password change via the mobile device.

Answer

Hi @Mferguson

Thanks for reaching out to Microsoft Q&A.

If the device is registered and managed by your company, there's a good chance that they are signing in using a PRT.

A Primary Refresh Token (PRT) is a key artifact of Microsoft Entra authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It's a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices

PRTs expires after a 90-day period, but they are renewed indefinitely if the device is used frequently as long as the PRT is not invalidated.

https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

As a workaround, you could configure a CA policy to force the users to sign in after x amount of days, by doing so, they will be prompted to use username/password which would trigger the password reset flow for the accounts with expired passwords:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#sign-in-frequency

Thanks,

Fabio

Share via

We have a password expiration policy set in Entra ID that forces users to change password every 90 days, but we have a subset of users with expired passwords that are not being prompted to update.

1 answer