This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Our organization has an on-premises Active Directory (AD) integrated with Azure AD Connect and Single Sign-On (SSO) configured, including the password write-back option. We've set a password expiration policy of 90 days at the organizational level in both Office 365 and the on-premises AD Group Policy.
However, I've observed an issue where some users, primarily working from home and not regularly connecting to the official network, are still able to access their email and log into Outlook beyond the 90-day password expiration limit. According to our configuration, they should be prompted to reset their passwords or face login restrictions upon expiration.
Could anyone help me understand the possible root cause of this behavior and suggest steps to resolve the issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi, @Amit
Just checking in to see if information below was helpful.
If the issue has been resolved, please mark the helpful replies as answers.
Hello @Amit,
Just checking in to see if the below answer provided by @Andy David - MVP helped.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
You can enable that here:
However read all the caveats and understand the implications.
I would recommend that instead of expiring passwords, you enable a passwordless MFA architecture and do not expire passwords, instead only disable an account on-prem when the user is leaving the company.