AD and Azure Ad password sync policy

Sakaldeep Yadav 161 Reputation points MVP
2022-01-27T15:14:53.64+00:00

We have three sets of password expiration policies (60 days, 180 days and no expiration) in on-prem AD. When we sync to the Azure Ad, can we get the same password expiration policy in Azure AD? Thanks.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,569 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan Kinane 16,786 Reputation points MVP
    2022-01-27T15:36:48.947+00:00

    If you are syncing your password hashes then the synced accounts will use the on-premises Active Directory password policies. This does not carry over the password expiry policy as the Azure AD account passwords are set to never expire here however if you are forcing users to change passwords on-premises after xx days then this will update their Azure AD password once the password is changed anyway.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#password-complexity-policy

    169080-screenshot-2022-01-27-153412.jpg

    1 person found this answer helpful.
    0 comments
  2. Vasil Michev 95,666 Reputation points MVP
    2022-01-27T15:37:19.587+00:00

    In Azure AD, password expiration policies are configured per-domain, as detailed here: https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide
    If you want more granular control, consider using authentication methods such as password-hash sync or pass-trough authentication, which will respect your on-premises policies.

    0 comments