Password Expiration with AAD connect Password hash sync


When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises password expires.

Is there a way that we can enforce Office 365 users to change password in Local AD once the password expiration in local AD is enforced

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,295 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,546 Reputation points

    Hello @Sonal Dominic Abeywardena Gunasekera ,

    Thanks for reaching out.

    Yes, If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire. You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.

    To avoid such situations, you can the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and update the Azure AD password policy to match On-premises AD password expiry policy. For an example the default Azure AD password policy requires users to change their passwords every 90 days. If your policy in AD is also 90 days, the two policies should match. If the AD policy is not 90 days, you can update the Azure AD password policy to match by using the Set-MsolPasswordPolicy PowerShell command.

    In this instance, the password expiry for On-premises and Azure AD will be the same, therefore users will need to change their password when it expires. However, Synchronized users won't be able change their password from Azure AD until you enabled Enable Azure Active Directory self-service password reset writeback to an on-premises environment otherwise user has to change their password from on-premises and wait for new Password Hash to get synchronized to Azure AD.

    Note: Once EnforceCloudPasswordPolicyForPasswordSyncedUsers feature enabled, Azure AD does not go to each synchronized user to remove the Never Expire(DisablePasswordExpiration) value from the PasswordPolicies attribute. Instead, the Never Expire(DisablePasswordExpiration) value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.

    For additional information, see what is the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature. I hope this was helpful.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

  2. Anand Sunka 0 Reputation points

    Hello SonalGunasekera-5133,

    Please refer this link for your answer by lucafabbri365 replied to ThomasK007

    I hope this will give your answer.

    Anand S

    0 comments No comments