Password Policy - Azure AD

Question

Hi All,

We had a On-Prem environment due to some issue we decommissioned the complete environment and moved towards Azure AD. Now all the users are cloud identity and Azure AD joined. No AD connect server.

1. We set the password expiration policy under security & privacy - Org settings - Password expiration policy - 60 days. Most of the users crossed 70 days but still no prompt for password change. Do I need to enforce any command for the Azure AD password policy to take control, is there any way to see a report
2. Due to abrupt cut from on-prem environment, I suspect old group policy is still there in local security policy and it could conflict. Please share your expertise on how to clear this or is this not a problem

Answer 1

If this is Azure AD Joined you can run dgregcmd /status . This will show how and from where your all machine/End users getting policy .

Under Device State if you see AzureAdJoined and Enterprise Joined showing yes then you machine getting policy from Azure AD or On premise AD which is moved to Azure .

Answer 2

@karthik palani

To answer your query, First I would like to Check the expiration policy for a password for few users by using the below command to understand what is the configuration.

Get-AzureADUser -ObjectId <user ID> | Select-Object @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

Also you mentioned you disconnected from on premise AD suddenly/removed AD connect server, would like to check if you have turned off directory synchronization, reference https://learn.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide

Also you can refer to this section of the article to set a password to expire
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#:~:text=Set%20a%20password%20to%20expire

Let me know if you have any questions.