This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 27%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi there,
we've configured the password expiry claim in our ADFS like this: https://video2.skills-academy.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims
And our users are getting messages like this, which is confusing:
Microsoft Outlook
Your password for "username@business.biz" expires in 1217021 days. Click here to change your password."
Do you have any ideas, where this high amount of days comes from?
Thanks.
Have you set up the Claims X-Ray Relying Party Trust in your ADFS? If not, I would recommend you to do so, then set the same rule on the Claims X-Ray that you have set on the Azure AD Relying Party Trust and test the access. It will tell you what in your token, like:
Then we know if the issue is at the ADFS level or somewhere else.
Thank you very much for sharing the ClaimsXray help site. Didn't know this exists. I was able to receive a x-ray claim, but it didn't include the passwordexpirationtime attribute. But I'll do some more testing.
It will show only if it is 14 days away or less to expire.
Yes, I've read about this.
There is a 14 days window so the sent claims will only be populated if the password is expiring within 14 days.
For testing purposes: I've created a fine-grained password policy, set the max. password age to 10 days and linked this FGPP to a test user. But even in this case I didn't get the attributes.
Works for me in my lab (ADFS 2016 and ADFS 2019).
Can you copy/paste the rules you have?
In my lab, I have the following.
A user called TechGuy with an FGPP that tell the password expires after 7 days:
Get-ADUserResultantPasswordPolicy -Identity techguy
AppliesTo : {CN=techguy,OU=Accounts,DC=verenatex,DC=com}
ComplexityEnabled : True
DistinguishedName : CN=Exp7days,CN=Password Settings Container,CN=System,DC=verenatex,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 7.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
Name : Exp7days
ObjectClass : msDS-PasswordSettings
ObjectGUID : 040967b3-e8c2-4d57-a793-bd1bb7409228
PasswordHistoryCount : 24
Precedence : 1
ReversibleEncryptionEnabled : False
On the relying party trust, I have only claim rule:
And this is the result in the Claims X Ray site:
Sure. Anonymized, but here we go.
PS C:\> Get-ADUserResultantPasswordPolicy -Identity testuser
AppliesTo : {CN=testuser,(...),DC=company,DC=xy}
ComplexityEnabled : True
DistinguishedName : CN=fgpp7days,CN=Password Settings Container,CN=System,DC=company,DC=xy
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 7.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
Name : fgpp7days
ObjectClass : msDS-PasswordSettings
ObjectGUID : 1234
PasswordHistoryCount : 0
Precedence : 10
ReversibleEncryptionEnabled : False
RP with claim rules
Token response
Make sure the user doesn't have the check box "Password never expires". Also, can you share the raw token? (from the bottom of the Claims X Ray page)
The option isn't activated. But in "net user testuser /domain" it shows, that the "password expires" is somewhere in 2021. But maybe does "net user" not check the FGPP...
RAW token see attached.33702-rawtoken.txt
Correct, the NET USER method doesn't account for the FGPP. But your command Get-ADUserResultantPasswordPolicy -Identity testuser is correct.
This is weird... Can you send all claims in the second rule:
c:[]
=>issue( claim = c ) ;
And paste the screenshot of the results? Also make sure you check the checkbox "Force fresh authentication", to make sure, you can use the Forms option in the authentication policy section.
Wow, the Forms option did the trick.
passwordexpirationdays 5
passwordexpirationtime 2020-10-26T09:16:56.320Z
passwordexpirationtime 2020-10-26T09:16:56.320Z
I'll search for a colleague, who has to change his password in the next days and claim a xray token.
The issue was probably that you already had a valid token. So you were not re-processing the rules. When testing, the form ensure that you ask for a new token from scratch.
Found a colleague with an expiring password in the next few days. Did the xray claim, here are the results.
At this stage we can confirm that the issue is not ADFS.
The doc actually says it will not work with Windows Integrated Authentication. So, the test to force Forms was key here (and not the token refresh).
Can you have the user use Forms in ADFS to authenticate to Outlook instead of the WIA as a test to see if you see the right number of days? I don't know if that's possible...