Question about O365 password expiration policy and on-prem AD

IAMUser 6 Reputation points

Currently on-prem AD, the password is set to change lets stay every 90 days. I know that it writes up to the cloud. And if password is changed in the cloud, it writes back to on-prem AD.

O365 Cloud password expiration is set to 180 days. So the password is out of sync after 90 days. A user that works mainly in the cloud will not know their password expired on AD and password in the cloud has another 90 days before expiration.

If i change the expiration in the cloud to match the 90 days on prem and its already the 120th day, what happens to the user? Will they still be able to change their password?

Is there a way to change the password expiration policy to a subset of users to test this?

Also if i change it to 90 days in the cloud. Will that restart the count? For example, a user's on prem AD password is changed today. Writes back to the cloud. Then two weeks later i changed the cloud password policy from 180 to 90. Does that reset? Or will it still take account of the date when the password was last changed?

Thank you in advanced.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,550 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,676 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,201 Reputation points Microsoft Employee

    @IAMUser You might need to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers, that would enforce cloud password policy on synced users as well. this is recommended if users are accessing only cloud resources and we don't care about on-premises resources and password expiry that happens at on-premises AD.

    With this, when user change the password locally, the password would be synced to Azure AD. Lastpassword changed time would be reset and no password change would be prompted by Azure AD till we reach 90 days or so. if password change at on-prem AD before they hit 90 days mark, this process will keep repeating. But if it was not changed at on-prem and when user access cloud resource after 90 days, user would be prompted to change password. With password writeback enabled, this would be written back to AD

    this doesn't require SSPR, only password writeback has to be enabled. if the user are going to change their password always locally at AD, then everything is taken care of. But the passwords by default on cloud doesn't expire

    So after 90days when password expire at AD, it doesn't expire at Azure AD you need to do the steps here to expire the password for the user at Azure AD as well


    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.