Entra ID domain services Fine grained password policy not applying to Entra ID users

Question

Entra ID domain services Fine grained password policy not applying to Entra ID users

Kastytis Balciunas 26

Setup:

I've set up Entra ID domain services in our cloud only environment, created a VM and domain joined it to the domain services then synced few users from Entra ID then using those user credential i'm able to log in to the domain join VM and use administrative tools to change setting add users and so on.

I've create a fine grained password policy with precedents lower then default policy and apply it to domain users group and directly to the user.

Issue:

When i go to Entra ID cloud and reset users passwords, they go create a new password but the FGPP setting are not applying.

Question:

How do i configure password policy in Entra ID domain services to apply to Entra ID cloud only users that are synced to domain services?

Accepted answer

0 additional answers

Your answer

Answer 1

Givary-MSFT 35,626 Microsoft Employee Moderator

@Kastytis Balciunas Thank you for reaching out to us, As I understand you are trying to configure password policy in Entra ID domain services to apply to Entra ID cloud only users that are synced to domain services.

As far I understand and as per this doc - https://learn.microsoft.com/en-us/entra/identity/domain-services/password-policy A default fine grained password policy is created within Entra ID Domain Services and applied to all users in a Domain Services managed domain, not for the users synced from Entra ID to Entra Domain Services.

If in case you want to have better password protection for the cloud users, refer to this - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad

Let me know if you have any further questions, feel free to post back.

Kastytis Balciunas 26 Reputation points

2024-11-04T14:25:10.76+00:00

Thanks for the quick replay, i have read the provided documentation but I'm still a bit confused,

Question 1. So the Entra domain services does not provide an option to configure a password policy for Entra ID users even if they are synced?

Question 2. Apart from password protection is there a way to configure password policies for Entra ID users?
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-11-05T09:52:54.08+00:00

@Kastytis Balciunas To answer these

Question 1. So the Entra domain services does not provide an option to configure a password policy for Entra ID users even if they are synced?

Ans: As per the above article/doc shared - A default fine grained password policy is created and applied to all users in a Domain Services managed domain, password policy created in managed domain does not apply to the users in Entra ID.

Question 2. Apart from password protection is there a way to configure password policies for Entra ID users?

Ans: These are default password policies applicable to entra id users - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy which can't be modified.

Share via

Entra ID domain services Fine grained password policy not applying to Entra ID users

0 additional answers

Your answer