Azure AD Sync two sets of user identities and passwords

Tom Mee 1 Reputation point
2021-05-11T13:51:40.497+00:00

Our organization is looking to implement on-premises active directory as a single source of authority for account management. We currently have two separate accounts for each user. One account is in Azure and logs them into our services within M365.

Another separate account logs them into our on-premise domain and local applications that are not in the cloud. We have installed AD sync and have tested with a few users and it seems to be working. What we are struggling with is password sync, the current Azure password expiration policy is set to 365 days, the on-premise is set to 120 days. When a customer calls in with a password change request the service desk changes both to keep them in sync.

My question is if we sync all on-premise users to Azure AD will the Cloud password policy still come into play? My thought is that it won't, but I'm looking for confirmation from someone who may have done this. If I turn off password expiration in the cloud does that automatically lock in the existing passwords and when we sync the on-premise accounts those passwords will become the authoritative passwords and allow access to M365 services?

Thanks

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
954 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,601 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tom Mee 1 Reputation point
    2021-05-12T21:56:32.253+00:00

    Hello James,

    Thank you for the reply. Apologies because I didn't explain very well. I'm in a situation where my company has been creating two identities for users. One identity with password is in Azure, the second identity is On-premises AD.

    I am looking to use On-Premises AD as the "source of authority" going forward. I have setup AADSync with Azure and was concerned about what will happen when I sync the on-premises account with Azure.

    Will an On-premises account overwrite the cloud account making the password policy in azure invalid because they are no longer technically Azure accounts? My assumption is yes, but I was looking for confirmation before I start rolling this out.

    I am matching UPN's from on-premises to azure so that I don't accidently create two accounts. We will also be implementing a weekend password change event and the expectation is that the user will have to sign in twice with their on-premises AD password for both the local profile and for their O365 application.

    Thanks,
    Tom

    0 comments
  2. third one 1 Reputation point
    2023-01-11T22:18:57.7366667+00:00

    I'm matching UPN's from on-premises to sky blue so I don't accidently make two records. We will likewise be executing an end of the week secret word change occasion and the assumption is that f2 movies the client should sign in two times with their on-premises Promotion secret word for both the nearby profile and for their O365 application.

    0 comments