Password Policy Hybrid Join Devices

Swati Arora 146 Reputation points
2021-10-01T07:29:58.397+00:00

Hi All,

Just need a bit clarity on password policies for hybrid joined devices.

Azure AD Connect is in place with password hash synchronization.

Considering local password policies takes precedence over Azure AD password policies, why users are not getting password expiration notifications ?

Also, what if we want to enable Azure AD SSPR and also enable password writeback featire in Azure AD Connect to achieve SSPR. Does that work seamlessly or there is any unexpected/unusual behavior ?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,565 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2021-10-01T08:36:25.333+00:00

    Hi @Swati Arora • Thank you for reaching out.

    Considering local password policies takes precedence over Azure AD password policies, why users are not getting password expiration notifications?

    Local password policies takes precedence over Azure AD password policies when SSPR and Password Writeback is enabled. For on-premises users, with password hash synchronization enabled, the cloud account password is set to Never Expire by default. Which means, if the password is expired in your on-premises environment, users can still sign in to cloud applications by using the synchronized password that is expired in on-premises AD. Password gets updated in Azure AD, the next time user changes his/her password in the on-premises environment. This is why users don't get password expiry notification before the password expiration in Local AD. However, in this case you may consider setting Azure AD password expiration and expiry notification same as your on-premises AD by using below command:

    Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName "example.com"

    And then use following cmdlet to apply the same cloud password policy to synced users as well:

    Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

    Read more: Password policy considerations

    Also, what if we want to enable Azure AD SSPR and also enable password writeback feature in Azure AD Connect to achieve SSPR. Does that work seamlessly or there is any unexpected/unusual behavior?

    As of now, there are no known issues with Azure AD SSPR and Password Writeback feature and it is safe to implement these features.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful