AD Password Change solutions?

Question

Dear Experts,

We are considering hardening our account security by enforcing a password change for users every 90 days. I noticed that in GPO, this policy is available under Computer Configuration only, so I'm a bit lost on how to implement this solution. I thought it should be applied to the user accounts directly?

In our scenario, we also use Office 365 and EntraID (formerly known as AAD), where users can reset their passwords online, and these changes are written back to our local DC. How can we connect these systems together to ensure a seamless password management experience?

Any advice and suggestions would be greatly appreciated.

Answer 1

You apply it in the Default Domain Policy GPO. This will effectively enforce the configuration for all users in the domain (unless you also implement Fine Grained Password Policy). Details in https://activedirectorypro.com/how-to-configure-a-domain-password-policy/

For Entra ID, as per https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy

Password expiry duration (Maximum password age) Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with Get-MgDomain. The value is configurable by using the Update-MgDomain cmdlet from the Microsoft Graph module for PowerShell.|

If you already implement password writeback in Entra ID, then this is all that's required.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin