Sync ad password policy to azure ad

CroTeam 21 Reputation points
2020-09-22T08:28:19.3+00:00

Hi all,

We have a requirement to sync our local ad password policy to azure ad so if the local pass policy has pass expiration date 60 days we want to match that with azure so that all cloud pass also expire at the same time. We are using password hash sync.

I am aware of the feature called EnforceCloudPasswordPolicyForPasswordSyncedUsers

My question is: If we enable this and if we match local pass policy with azure ad (If I change azure ad policy to 60 days), what will happen when user change his password locally? Will that sync and reset the timer of the cloud account or it will ask user to change cloud pass as well before 60 days?

Second questions is: Do we need to implement SSPR when we activate this feature or it works without?

Goal is to change pass locally and to update pass and reset the timer on the azure ad account.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,431 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,367 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2020-09-23T12:34:53.587+00:00

    @CroTeam If you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers, that would enforce cloud password policy on synced users as well. this is recommended if users are accessing only cloud resources and we don't care about on-premises resources and password expiry that happens at on-premises AD.

    With this, when user change the password locally, the password would be synced to Azure AD. Lastpassword changed time would be reset and no password change would be prompted by Azure AD till we reach 60 days or so. If password change at on-prem AD before they hit 60days mark, this process will keep repeating.
    But if it was not changed at on-prem and when user access cloud resource after 60 days, user would be prompted to change password. With password writeback enabled, this would be written back to AD, this doesn't require SSPR, only password writeback has to be enabled.

    If the user are going to change their password always locally at AD, then everything is taken care of. But the passwords by default on cloud doesn't expire
    So after 60days when password expire at AD, it doesn't expire at Azure AD, you need to do the steps here to expire the password for the user at Azure AD as
    https://video2.skills-academy.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide#set-a-password-to-expire

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.