Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
Password Expiry Sync and Password Hash Sync
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 83%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
DaNmAN
201
Reputation points
Hi
We utilise a Hybrid AD Azure setup in our org and we are removing the disablepasswordexpiration policy from accounts within the scope of password hash synchronisation. This will ensure that if a password expires on prem then it will also expire in the cloud.
We are not forcing a password change for all users to minimise the disruption. We understand in this case that we will have an inconsistent estate. Once we remove the disablepasswordexpiration policy from our accounts the policy is only removed once that account has its password changes on prem.
The documentation for this can be found here
The documentation for this is ok but it seems to be missing a valuable piece of information.
If we look at the following link for SSPR we see the following warning
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.
This is relevant to our change so it should be on the actual documentation for that change.
That aside I have a question about this warning.
Does this mean that after we make this change any user that has has a pwdlastest set date of more than 90 days will be forced to change their password via the cloud or via on prem? Or both?
We have users only only log in via cloud so because the disablepasswordexpiration policy is currently in place these users have never updated their password. So when we make this change will these users then attempt to access cloud resources and be advised that their password has expired?
Or will they need their password changed on prem for the disablepasswordexpiration policy to be removed as per the documentation for this change?
The answer to this question will allow us as an organisation to plan how we deal with these users.
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Kael Yao-MSFT 37,676 Reputation points Microsoft Vendor2021-06-21T01:27:21.577+00:00 Hi @DaNmAN
Since your question is more related to hybrid Azure AD, I have removed the tag "office-exchange-hybrid-itpro" tag which is used for Exchange hybrid deployment questions.
Thanks for your understanding and hope you will get the answer soon.
Sign in to comment