Password Expiration Issue in Hybrid Active Directory Setup

Amit 1 Reputation point
2025-02-04T08:28:43.3866667+00:00

Our organization has an on-premises Active Directory (AD) integrated with Azure AD Connect and Single Sign-On (SSO) configured, including the password write-back option. We've set a password expiration policy of 90 days at the organizational level in both Office 365 and the on-premises AD Group Policy.

However, I've observed an issue where some users, primarily working from home and not regularly connecting to the official network, are still able to access their email and log into Outlook beyond the 90-day password expiration limit. According to our configuration, they should be prompted to reset their passwords or face login restrictions upon expiration.

Could anyone help me understand the possible root cause of this behavior and suggest steps to resolve the issue?

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,178 questions
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | User experience | Other
Microsoft Security | Microsoft Entra | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2025-02-04T12:31:30.2666667+00:00

    You can enable that here:

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization#cloudpasswordpolicyforpasswordsyncedusersenabled

    However read all the caveats and understand the implications.

    I would recommend that instead of expiring passwords, you enable a passwordless MFA architecture and do not expire passwords, instead only disable an account on-prem when the user is leaving the company.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.