Does DisablePasswordExpiration override tenant password expiration policy in Entra ID?

Question

RB 0

In EntraID,

If a user account has PasswordPolicies set to DisablePasswordExpiration, will changing the tenant-wide password expiration policy to 365 days override that per-user attribute?
what if you set "PasswordPolicies = DisablePasswordExpiration" first and then set the tenant-wide password expiration policy to 365 days, will the latter override the DisablePasswordExpiration?

1 answer

Answer 1

No. The per-user PasswordPolicies = DisablePasswordExpiration setting is not overridden by changing the tenant/domain-wide password expiration policy (for example, to 365 days). The domain-level policy controls the maximum password age for accounts that are subject to expiration, but DisablePasswordExpiration explicitly prevents that user’s password from expiring. The documentation states that:
- Password expiry duration (maximum password age) is configured per domain via Update-MgDomain -PasswordValidityPeriodInDays.
- “Password expiry (Let passwords never expire)” is configured per user via Update-MgUser -PasswordPolicies DisablePasswordExpiration.
These are separate controls: the domain policy defines the general expiration window; the per-user DisablePasswordExpiration flag exempts that user from expiration.
The order does not change the behavior. If PasswordPolicies = DisablePasswordExpiration is set on a user first, and then the tenant/domain password expiration policy is changed (for example, from 90 to 365 days), the per-user DisablePasswordExpiration still applies and the user’s password does not expire according to the domain maximum age. To make such a user subject to the tenant/domain expiration policy, the DisablePasswordExpiration value must be removed from the user (for example, Update-MgUser -PasswordPolicies None or equivalent Set-EntraUser usage).

References: