This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 71%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Having setup in a hybrid environment (AD on premises and Azure AD) user domain accounts that have a password expiration of 45 days and users can logon to the domain on client devices using Biometric logon or Windows username and PIN logon or standard username and their domain password logon, what happens when the 45 day limit approaches and passes, if say for example, a domain a user is always just using biometric logon or simply ignores the password is to expire prompt to change (and if using biometric would they still see the password expire prompt to change at all or is that warning only seen if they actually use a password to logon) ? On day 46 can the user still logon with biometric or PIN and also hyen still access all network resources as normal (both on premises and cloud resources i.e. e-mail, onedrive, MS Teams etc) or does the password expiration allow logon but prevent access to the network resources ?
Further if a user is working remotely (at home) and has say Fortinet client VPN and that is just a user VPN tunnel i.e. not active until logon and thus not an always on VPN, then if their password expired or they simlpy have forgotten it as they dont use it often or at all to logon, can they recover from that remotely or would they need to visit site. If we have Self Service Password reset can they go to the portal and change the password, and would that be of any use anyway once changed, if they still cannot remember the old password that is cached on their system as their VPN is not active until logon ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Skype228 , Hope you are doing good . Apologies for the delay in getting this handled. In case you have found any solution to the issue , it would be great if you can share the same with the community . If you still need help further on this , do let us know and we will help you further
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 93%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
At my company, we have seen the same issue, but do not have much information except possibly the way the password credential and WHfB credentials are cached together and WHfB being used as the credential provider. It seems the device ignores the call to remind the user to update their password (at login), because they used WHfB to login / unlock the device (after expiration). Yet, the password is still crutial in this scenario.
I also am interested in an update from MS on this. We're working on a line-of-sight to DCs (before VPN) to help with Self-Service Password Reset (SSPR), but still can be annoying when that password does exceed expiration and their WHfB credentials no longer works as a result.
When a user's password does expire and they are on a Hybrid Azure AD Joined (HAADJ) device, it should still work / prompt a user to change their password, even if they have been using WHfB. Or, offer the user the option to "exclude" the password credential from the HAADJ device, so if it expires, it does not lock them completely out. They should still be given the option to update the password and seems to be a workflow flaw between the credential providers.
Our experience has been:
Impacted users are operating from HAADJ devices. Password expires and user must change (they missed prompts to change it). However, Azure AD, password is NOT expiring. Using Password Hash Sync with Entra AD Connect.
User's AD password reaches expiration, but they have been using WHfB to sign-on and access the VPN. once they are connected (VPN), it seems their session will break when their device locks (unable to unlock). One way around this, is like yours (office visit). There are other work-arounds, like logon with cached password and have no line of sight to a DC. Then, they can hurry and change their password, after they connect to the VPN. Then they need to lock and unlock to update the newly changed password.
Or, they need an Azure AD Joined (AADJ) device, which is not AD joined. Long-term, sure, but how about the now?
No answer found for the above. Basically if VPN is user tunnel and not an always on VPN users who forget passwords or have passwords expire would have to return to the company LAN and logon direct to the company network to reset\have their passwords reset.
Not received any replies yet to question.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 16%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
@Skype228 have you found any answer or solution to this?