Share via

Disable Password expired policy for all users

J-3804 1,601 Reputation points
2021-12-07T23:34:48.887+00:00

Hi Team,

We would like to disable the password expired policy for all users in the O365 admin center. But we are wondering if there are any recommendations or impact as most of our users are synced with Active Directory on-premises, less than 10% are fully cloud.
Please let me know if there is any impact or recommendation before disabling the password expired policy

Thank you for your help,

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-12-08T00:22:51.737+00:00

    For your scenario this is pretty easy. By default, passwords are set to never expire. As mentioned in the documentation, this is the recommended setting because research shows that mandatory password changes cause more harm than good by encouraging people to choose weaker passwords.

    When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services. But passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

    The portal setting of "set password to never expire" only applies to cloud-only users, but if you utilize password hash synchronization and set the same policy on premises then you should not have an issue. Since you're not trying to implement any conflicting policies, you can make sure the on-premises policy for your domain is also set to "never expire."

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

    If you were trying to set different policies for different users you would have a more complicated setup, but what you're describing is pretty straightforward. It's recommended to implement other safeguards such as MFA to ensure that the accounts remain secure, but I wouldn't worry about anything else breaking as long as your policies are consistent.

    Let me know if this helps at all.

    0 comments
  2. J-3804 1,601 Reputation points
    2021-12-08T22:23:24.653+00:00

    Thank you Marielee for your help but can we set password to not expire only for cloud account and not sync accounts online ( Active Directory account). Is there any impact if we proceed like that? We want to set password to not expire only for cloud account not for On-premises account.

    Regards,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.