Password Expiry Sync and Password Hash Sync

DaNmAN 201 Reputation points
2021-06-20T14:09:04.15+00:00

Hi

We utilise a Hybrid AD Azure setup in our org and we are removing the disablepasswordexpiration policy from accounts within the scope of password hash synchronisation. This will ensure that if a password expires on prem then it will also expire in the cloud.

We are not forcing a password change for all users to minimise the disruption. We understand in this case that we will have an inconsistent estate. Once we remove the disablepasswordexpiration policy from our accounts the policy is only removed once that account has its password changes on prem.

The documentation for this can be found here

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers

The documentation for this is ok but it seems to be missing a valuable piece of information.

If we look at the following link for SSPR we see the following warning

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

This is relevant to our change so it should be on the actual documentation for that change.

That aside I have a question about this warning.

Does this mean that after we make this change any user that has has a pwdlastest set date of more than 90 days will be forced to change their password via the cloud or via on prem? Or both?

We have users only only log in via cloud so because the disablepasswordexpiration policy is currently in place these users have never updated their password. So when we make this change will these users then attempt to access cloud resources and be advised that their password has expired?

Or will they need their password changed on prem for the disablepasswordexpiration policy to be removed as per the documentation for this change?

The answer to this question will allow us as an organisation to plan how we deal with these users.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,418 questions
{count} vote