Password Policy Requrements Enforced and Synced From AAD to AD

Question

So we are going to force our users to change their passwords every 90 days. I have password sync turned on and working from Azure AD to our on prem AD. This works perfect and allows our users to change their passwords in the cloud but then be synced over to AD. What is not working is the password policy requirements I setup in AD on Prem Group Policies. Our staff can make any kind of password without restrictions. All of our devices are Workgroup joined in Azure/Intune. We do not have domain joined machines. Does anyone have any ideas for how we can force password requirements through Intune/Azure/Microsoft? We are at a loss right now.. ![81923-screenshot-2021-03-26-110659.png][1] ![81908-screenshot-2021-03-26-110659.png][2] [1]: /api/attachments/81923-screenshot-2021-03-26-110659.png?platform=QnA [2]: /api/attachments/81908-screenshot-2021-03-26-110659.png?platform=QnA

Answer 1

Hi @Force Strong · Thank you for reaching out.

As the devices are not domain joined, password policies defined in Group Policies won't apply. You need to configure password expiration policy in Azure AD by using following cmdlet:

Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14

Keep in mind that the password expiration policy configured in Azure AD are not by default applied to the synced user accounts. To apply Azure AD Password Expiration Policy to the users synced from On-premises AD, use below cmdlet:

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

Read more: EnforceCloudPasswordPolicyForPasswordSyncedUsers

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.