Need to enable Password Writeback and also enable EnforceCloudPasswordPolicyForPasswordSyncedUsers

Nirav 26 Reputation points
2022-08-30T20:14:31.93+00:00

Hello,

Currently, we have the password hash sync enabled since end of last year and I need to enable password writeback in AZ ADConnect and also configure SSPR. Also, "EnforceCloudPasswordPolicyForPasswordSyncedUsers" is not enabled which is allowing end-users to access M365 until on-premise password is changed.

I need some guidance what should be done first:

  1. Enable Password Writeback
  2. Enable Enforce Cloud Password Policy for password synced users
  3. Enable and configure SSPR

Thank you for your time and effort.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments
Accepted answer
  1. Andy David - MVP 141.1K Reputation points MVP
    2022-08-30T20:59:01.55+00:00

    What is the password expiration policy set to on-prem?
    this is what the setting changes

    EnforceCloudPasswordPolicyForPasswordSyncedUsers

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers

    And really that should have been set before PHS and ensure the Azure AD and on-prem policies match if you do enable

    I would actually do step3 first.
    Note that in step 2, this could cause a large number of users to get prompted to reset their passwords.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.1K Reputation points MVP
    2022-08-30T20:21:39.157+00:00

    Your order is correct. This walks through the steps in the right order
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

  2. Nirav 26 Reputation points
    2022-08-30T21:00:16.09+00:00

    Thank you @Andy David - MVP for your feedback. We also have few accounts whose password is set not to expire in that case should I execute the following commands?

    ENABLE "Set-MsolDirSyncFeature -feature EnforceCloudPasswordPolicyForPasswordSyncedUsers"

    UPDATE PASSWORD POLICIES FOR ALL - "Get-AzureADUser -All $true | Where-Object { $.DirSyncEnabled -eq $true -and $.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object {
    Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None }"

    DISABLE PASSWORD EXPIRATION FOR SELECT USERS - "Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"

    and is the order correct?

    0 comments
  3. Nirav 26 Reputation points
    2022-08-30T21:21:34.617+00:00

    Also want to mention when on-premise password is expired users have to change it using RDWeb App Portal (currently) other wise they are able to access any network resources and VPN so once it's changes then it does sync using ADConnect and then they have user new password for M365.

    0 comments