AADC, SSPR, Password Writeback and Password Policies

Jennifer Williams 21 Reputation points
2021-02-05T22:07:10.65+00:00

I know that with SSPR, when a user changes their password Azure AD checks the "on-prem password policies" for synced accounts and does not let the synced user change their password if the new password does not meet the requirements.

My question is what is the definition of "on-prem password policies"? I know it includes the policies set through the Default Domain GPO, and have seen articles supporting this idea. However, i have seen NO information in any article i have read about if the definition of "on-prem password policies" in regards to SSPR include the Fine Grained Password Policies i have setup in our domain. Will those User/Group specific policies be respected by the Azure AD environment during password reset/writeback operations? Is the password change limit based on ALL Password policies in my On-Prem Domain (or just the GPO-based policies)?

Thank you for your help,
Jenny

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,430 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,666 Reputation points
    2021-02-09T18:59:39.837+00:00

    Hello @Jennifer Williams , Thanks for reaching out and sorry for delayed response.

    Yes, SSPR relies on and abides by the on-premises Active Directory password policy. This policy includes the typical Active Directory domain password policy, as well as any defined, fine-grained password policies that are targeted to a user.

    When a user resets their password, it's checked to ensure it meets your on-premises AD DS policy before committing it to that directory. This review includes checking the history, complexity, age, password filters, and any other password restrictions that you define in AD DS.

    If the user's password hash is synchronized to Azure AD by using password hash synchronization, there's a chance that the on-premises password policy is weaker than the cloud password policy. In this case, the on-premises policy is enforced. This policy ensures that your on-premises policy is enforced in the cloud, no matter if you use password hash synchronization or federation to provide single sign-on.

    Refer these articles to learn more on SSPR concept:
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq

    --------------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.