This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 28.000000000000004%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
I would like to know if this
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims
applies for AD on 2008 R2 domain and forest functional levels.
So far I know this is only for password expiration notification.
I also need to find out if there is a way ADFS can feed back M365/Azure AD password expiration status so that a remote user get blocked after a certain days their password expires and they will require to call support to reset.
Current situation is remote users can login to M365 services (via ADFS authentication to AD), if there password expires on-premise, they still can access those Microsoft services for a long time (think default value is 90days).
Thanks
The claim rule to send the claim expiry will be working as long as the user used FBA or WH4B to authenticate (irrespective of the version of AD). This is just for notification in some applications (Exchange Online only as far I as recall). This is a feature to allow notification, it does not help or impact the lifetime of the user's token.
By default, Azure AD Connect is synchronizing the pwdLastSet attribute of the users. So Azure AD knows when a password is supposed to expire. If you do not synchronize the attribute (because you customized the default rules - bad idea to start with), then the maximum age for token refresh is limited to 12 hours.
Also, there is an endpoint in ADFS that can be used for users with an expired password (or with an account for which the box "User must change password at next logon" is checked). It is the URL https://......../adfs/portal/updatepassword. It is disabled by default and needs to be enabled. It does not help all the time though. But it does exist.
event though PHS is enabled via AD Connect, the domains are federated. So will the pwd last set will work on default sync settings?
And the claim rule just allow the remote users to reset their passwords? Or their access will get blocked as well? This is what I am trying to achieve
You can see if the values exist in Azure AD:
Get-MsolUser -All:$true | Select-Object UserPrincipalName,LastPasswordChangeTimestamp
The claim rules are just to allow OWA (and maybe other EXO based apps) to show a pop-up to the user saying the password is about it expire. That's it. Then if they go to the password update page of ADFS, they could update it there.
Password update requires the knowledge of the current password. Password reset doesn't. If users cannot do the password udpate, then they need to either call helpdesk for them to reset it or use the self service password reset.
If a user's password has expired, or if the account has been disabled on-prem, then the user will no longer have access to the applications protected by Azure AD. There might be some latency as some tokens might have been issued already, but those won't be renewed.
Somemore info about token validiy and possible way to shorten them when a security events arose: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation