Share via

How to sync Azure AD password policies with on premise active directory

Shaun Slater 66 Reputation points
2023-03-10T10:40:47.37+00:00

I have tried to follow the steps in the article to sync our azure AD password policies with the on-prem policies but some of these commands do not work. I am not the best with PowerShell to work out why none of these work, but I want to bulk update the password policies attribute to None for our 365 users.

I have already made sure that our on-prem and cloud password policies are in line with each-other but it's just bulk updating the users.

Article I followed: https://ourcloudnetwork.com/sync-your-azure-ad-password-policy-with-onpremise-ad/

The command below returns nothing when it should return a value - disabled. The for-each loop I have to update the password policies attribute does not work either. 

#Get Password Policies for a user
(Get-MgUser -userid ******@ourcloudnetwork.co.uk).PasswordPolicies

#Update the Password Policies attribute to None.
Get-MgUser -All | Where-Object { $_.OnPremisesSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’} | `
ForEach-Object {
Update-MgUser -UserId $_.ID -PasswordPolicies None
}

Again the reason why we are doing this is because, by default, if you are syncing your on-premise users with Azure AD, via Azure AD Connect, your Azure AD password expiration policy does not comply with your on-premise password expiration policy. By default, when your on-premise user account password expires, between the time of the password expiring and the user updating their password, they can still log in to the Azure AD account and access Azure resources with their old password.

This poses an significant risk, especially over holiday periods where users are unlikely to be logging into their systems.

I hope this makes sense and look forward to your response.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,182 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Vasil Michev 119.7K Reputation points MVP Volunteer Moderator
    2023-03-10T11:47:21.75+00:00

    What you should do is toggle the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers

    As for checking/setting PasswordPolicies per user, the cmdlet is the correct one, however said attribute is not returned by default, thus the null value. Either switch to the beta endpoint, or specifically request it:

    (Get-MgUser -UserId ******@domain.com -Property PasswordPolicies).PasswordPolicies

    or

    Select-MgProfile beta

    (Get-MgUser -UserId ******@domain.com).PasswordPolicies

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.