question

ForceStrong-1434 avatar image
0 Votes"
ForceStrong-1434 asked amanpreetsingh-msft commented

Password Policy Requrements Enforced and Synced From AAD to AD

So we are going to force our users to change their passwords every 90 days. I have password sync turned on and working from Azure AD to our on prem AD. This works perfect and allows our users to change their passwords in the cloud but then be synced over to AD. What is not working is the password policy requirements I setup in AD on Prem Group Policies. Our staff can make any kind of password without restrictions. All of our devices are Workgroup joined in Azure/Intune. We do not have domain joined machines. Does anyone have any ideas for how we can force password requirements through Intune/Azure/Microsoft? We are at a loss right now.. ![81923-screenshot-2021-03-26-110659.png][1] ![81908-screenshot-2021-03-26-110659.png][2] [1]: /answers/storage/attachments/81923-screenshot-2021-03-26-110659.png [2]: /answers/storage/attachments/81908-screenshot-2021-03-26-110659.png

azure-active-directoryazure-ad-conditional-accessazure-ad-password-hash-sync
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @ForceStrong-1434 · Thank you for reaching out.

As the devices are not domain joined, password policies defined in Group Policies won't apply. You need to configure password expiration policy in Azure AD by using following cmdlet:

Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14

Keep in mind that the password expiration policy configured in Azure AD are not by default applied to the synced user accounts. To apply Azure AD Password Expiration Policy to the users synced from On-premises AD, use below cmdlet:

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

Read more: EnforceCloudPasswordPolicyForPasswordSyncedUsers


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm a little new at this and am not sure where I do the PowerShell commands... Can I do it from my laptop or do I do it from the server that AD Connect is installed?

0 Votes 0 ·

Hi @ForceStrong-1434 · You can run these cmdlets from your laptop after installing MSOnline module.

  1. Run Install-Module MSOnline

  2. Run Connect-MsolService and sign in using Global Administrator account.

  3. Run the Set-MsolPasswordPolicy and Set-MsolDirSyncFeature cmdlets as mentioned in my above answer.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·