Share via

Password Policy Not Working

Trevor Edd 20 Reputation points
2024-05-15T19:33:22.6766667+00:00

We have a hybrid setup with EntraAD and local Active Directory. I have setup a password policy locally that sets our passwords to expire every 365 days (along with other settings). When I run queries locally it does report back correct data on my user's and when their passwords will expire; or have already expired.

I have navigated to Microsoft 365 Admin Center > Security & Privacy > Password Expiration Policy > and have set the days to 365.

When I navigate to a user in the Entra Admin Center and navigate to their properties it shows "DisablePasswordExpiration" under Password policies.

I can't find any policy that is disabling the expiration of passwords. Any help would be appreciated.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,005 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,901 questions
0 comments
Accepted answer
  1. akinbade abiola 1,885 Reputation points
    2024-05-15T22:48:51.9233333+00:00

    Hello Trevor Edd,

    Thanks for your question.

    The Microsoft Entra password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Microsoft Entra Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.

    Please note that:

    User's image To check your current password Policy, pls run the command below for a single user: 

    Get-MgUser -UserId <user ID> | Select-Object @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

    Please take a look at the documentation here for this: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy

    To run the above commands, you need to connect. You can do this doing: https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0#using-connect-mggraph

    Please let me know if you have further questions

    You can mark it 'Accept Answer' if this helped.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,791 Reputation points Microsoft Employee
    2024-05-15T23:00:59.5066667+00:00

    Hi @Trevor Edd ,

    The documentation notes that Entra ID does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed (None) from PasswordPolicies during the next password hash sync for each user, upon their next password change in the on-premises AD.

    Microsoft recommends enabling EnforceCloudPasswordPolicyForPasswordSyncedUsers prior to enabling password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration value to the PasswordPolicies attribute for the users.

    But if you enabled the feature after setting up password hash sync, then you have two choices for setting PasswordPolicies to None:

     

    1. Wait for the user’s next password change to occur on the on-premises AD
    2. Run a PowerShell script to update it.

    For more information: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization

    Let me know if this helps address your concern and if you have further questions.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions. Otherwise let me know if you have further questions.