ADFS Password expiration notification and access

shaikh shoaib 171 Reputation points
2021-02-23T02:13:22.663+00:00

I would like to know if this
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims
applies for AD on 2008 R2 domain and forest functional levels.

So far I know this is only for password expiration notification.

I also need to find out if there is a way ADFS can feed back M365/Azure AD password expiration status so that a remote user get blocked after a certain days their password expires and they will require to call support to reset.
Current situation is remote users can login to M365 services (via ADFS authentication to AD), if there password expires on-premise, they still can access those Microsoft services for a long time (think default value is 90days).
Thanks

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2021-02-23T02:46:25.387+00:00

    The claim rule to send the claim expiry will be working as long as the user used FBA or WH4B to authenticate (irrespective of the version of AD). This is just for notification in some applications (Exchange Online only as far I as recall). This is a feature to allow notification, it does not help or impact the lifetime of the user's token.

    By default, Azure AD Connect is synchronizing the pwdLastSet attribute of the users. So Azure AD knows when a password is supposed to expire. If you do not synchronize the attribute (because you customized the default rules - bad idea to start with), then the maximum age for token refresh is limited to 12 hours.

    Also, there is an endpoint in ADFS that can be used for users with an expired password (or with an account for which the box "User must change password at next logon" is checked). It is the URL https://......../adfs/portal/updatepassword. It is disabled by default and needs to be enabled. It does not help all the time though. But it does exist.