How to make a specific password expiration policy for a specific group of users in azure ?

Question

How to make a specific password expiration policy for a specific group of users in azure ?

Mohamed Soliman 46

How to create different password policies for users and choose a policy for every user

Siva-kumar-selvaraj 15,721 Reputation points

2022-01-07T17:27:31.967+00:00

@Mohamed Soliman , I would want to check in and see if you had any other questions. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Accepted answer

1 additional answer

Your answer

Siva-kumar-selvaraj 15,721 Reputation points

2022-01-07T17:27:31.967+00:00

@Mohamed Soliman , I would want to check in and see if you had any other questions. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 1

Siva-kumar-selvaraj 15,721

@Mohamed Soliman ,

Thanks for reaching out.

You can customize password expiration policy for cloud only users from M365 admin centers' Security & privacy tab or using Azure AD cmdlet Set-MsolPasswordPolicy which applies to all user accounts that are created and managed directly in Azure AD but unfortunately we cannot make a specific password expiration policy for a specific group of users.

The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.

Refer to the following articles to learn more:

Azure AD password policies
Set the password expiration policy for your organization

Hope this helps.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Mohamed Soliman 46 Reputation points

2022-01-03T23:04:27.62+00:00

Thanks for help
According to the following document we can specify the password policy as in the example for "Disablepasswordexpiration" or None
https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide
so can i create a policy like "disablepasswordexpiration in somewhere else and mention in the 'set-aduser' command
like : Set-AzureADUser -ObjectId <user ID> -PasswordPolicies "Managerspolicy"
or does it refer to a specific set of policies?
Siva-kumar-selvaraj 15,721 Reputation points

2022-01-06T21:02:29.857+00:00

No, when you use Set-AzureADUser cmdlet, Azure AD only accept following two values either "Disablepasswordexpiration" or "None" for "-PasswordPolicies" property which can be updated to a specific users.

Assume you set the value to "Disablepasswordexpiration" which means that users' passwords will never expire, therefore in this situation, Azure AD will simply grant an exception for specific users from the default Password expiry policy (which is 90 days).

If you wanted to revert to the default Password policy then you use "None" value instead so that the user relies on default policy.

So, The Set-AzureADUser cmdlet is used to give some exception to individual users from default policy rather than creating a set of policies. Hope this helps.
venkatesh Gurvindapalli 0 Reputation points

2023-08-04T13:07:40.92+00:00

Hello All,

Please find the below commands
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

Check the single user status using below command:

Get-AzureADUser -ObjectId <userID> | fl UserPrincipalName,passwordpolicies

Answer 2

Ravi Kanth Koppala 3,311 Microsoft Employee

@Mohamed Soliman ,

By creating custom password policies, you can create a specific password expiration policy for a specific group, location on Azure active directory domain services. To do this, you must be signed in to a user account that's a member of the AAD DC Administrators group.

For more details read the document - https://learn.microsoft.com/en-us/azure/active-directory-domain-services/password-policy#default-password-policy-settings

(If the reply was helpful please don't forget to upvote and/or accept as the answer, thank you)

CarlZhao-MSFT 46,316 Reputation points

2022-01-03T08:07:45.027+00:00

Hi @Mohamed Soliman Would you please provide us with an update on the status of your issue?
Mohamed Soliman 46 Reputation points

2022-01-03T08:43:23.223+00:00

Thank you, i'm applying the policy and i'll update you asap
Does it effect Azure and office 365 login or only the machines joining the AADDS ?
is there a way i can se for office365 cloud-only account?
CarlZhao-MSFT 46,316 Reputation points

2022-01-03T09:09:25.04+00:00

Hi dear @RaviKanth-5629 Do you have any good suggestions?
Siva-kumar-selvaraj 15,721 Reputation points

2022-01-03T20:57:39.85+00:00

@Mohamed Soliman , The above-mentioned reference is only for machines that are joined of the Azure AD domain Services environment.

You can customize password expiration policy for cloud only users from M365 admin centers' Security & privacy tab or using Azure AD cmdlet Set-MsolPasswordPolicy which applies to all user accounts that are created and managed directly in Azure AD but unfortunately we cannot make a specific password expiration policy for a specific group of users.

The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.

Refer to the following articles to learn more:

Azure AD password policies
Set the password expiration policy for your organization

Hope this helps.

Share via

How to make a specific password expiration policy for a specific group of users in azure ?

1 additional answer

Your answer