EnforceCloudPasswordPolicyForPasswordSyncedUser with a federated domain

RT-7199 511 Reputation points
2021-10-08T16:07:58.067+00:00

We already have Password Hash sync enabled and domain is federated but EnforceCloudPasswordPolicyForPasswordSyncedUser is set to False.

Do/Can we set EnforceCloudPasswordPolicyForPasswordSyncedUser for a federated domain, to match the password policy with on-prem.

I can run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true but does that even do anything or will it create conflict if on-prem expiration policy is different for a federated domain.

Get-MsolPasswordPolicy  -DomainName "contoso.com" command doesn't work and I would assume Set-MsolPasswordPolicy would also not work.

I can however run it for "contoso.onmicrosoft.com" which is a managed domain.

If EnforceCloudPasswordPolicyForPasswordSyncedUser is not to be used on federated, what happens when user only authenticates to an Enterprise Application but does not redirect to ADFS and is authenticated by Azure AD itself but on-prem password is expired.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,581 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2021-10-11T14:54:57.003+00:00

    Hi @RT-7199 • Thank you for reaching out. Please find my comments inline.

    Do/Can we set EnforceCloudPasswordPolicyForPasswordSyncedUser for a federated domain, to match the password policy with on-prem.

    EnforceCloudPasswordPolicyForPasswordSyncedUser is a tenant level setting and will apply cloud password policies to all synced users with password hash synced to cloud, regardless of whether domain is federated or not.

    I can run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true but does that even do anything or will it create conflict if on-prem expiration policy is different for a federated domain.

    This setting won't have any impact if users are authenticated via on-premises federation server because the password validation will not happen against Azure AD. Whenever, password is changed on-premises, password hash get synced to cloud. If you are setting EnforceCloudPasswordPolicyForPasswordSyncedUsers to true, Microsoft recommendation is to keep same password expiration value at both cloud and on-premises.

    If EnforceCloudPasswordPolicyForPasswordSyncedUser is not to be used on federated, what happens when user only authenticates to an Enterprise Application but does not redirect to ADFS and is authenticated by Azure AD itself but on-prem password is expired.

    When you configure Azure AD policy to perform cloud authentication for federated users for a specific enterprise application, users are not redirected to federation server and authenticate directly from Azure AD. In the scenario where password expiration policy is conflicting and user's password is expired on-premises but have not been reset yet, he/she can still login using Azure AD credentials because password validation is being performed against Azure AD and the password is expired in on-premises but not in Azure AD. This is why the best practice is to keep password expiration same and configure password writeback if you are using SSPR in Azure AD.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.