Allow password expiration policy to sync from on-prem AD to Azure AD
Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.

We are currently investigating how we can best implement this feature.
32 comments
-
Anonymous commented
The EnforceCloudPasswordPolicyForPasswordSyncedUser capability is a definite help here, but would additionally like to see the ability to sync on-premises PasswordNeverExpires to Azure AD DisablePasswordExpiration policy.
Original PHS behavior - Azure creds never expire.
EnforceCloudPasswordPolicyForPasswordSyncedUser - Azure creds always expire.
Desired behavior -- option to synchronize on-premises password never expires so that Azure expiration matches. -
Anonymous commented
What is the current status on this?
-
Anonymous commented
Would like to see this happen quickly.
-
Nuno Alexandre commented
There is a new feature available (for quite a while now) called EnforceCloudPasswordPolicyForPasswordSyncedUser:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers -
Krunal Shah commented
Seriously this is still pending!!!!!!!!!!!!!
-
Anonymous commented
It's officially been over a year since the Azure AD Team posted their comment. Any update at all would be appreciated. This is a huge inconvenience and security concern.
-
Samir commented
any update?
-
Anonymous commented
Any update ?
-
Anonymous commented
Any update on this?
-
pinki patel commented
Is it still true password expiration still not syncing to AAD with newer version of AD connect?
-
Luca Fabbri commented
Hello all,
even if it still is in "PLANNED" there is something you can already implement. I suggest to read this Microsoft Tech Community post https://techcommunity.microsoft.com/t5/office-365/password-expiration-with-aad-connect-password-hash-sync/m-p/1427851#M28874 (@Timothy Balk & @lucafabbri365 replies). -
AADCisTheNewDirSync commented
ridiculous that this was not enforced by design from the beginning of AADC and that this is still "planned" to be implemented for more than a year now.
-
Glenn Gilley commented
I'm looking for this exact thing as well. I was actually shocked when I was told users with expired passwords in our AD were still accessing O365 with no problem. Please get something with AD Connect working to make this work in a supported manner! I'd prefer not to have to rely on custom PowerShell scripts running forever.
-
Juliano commented
We have PHS sync activate and policy password on premisse and in Office365/Azure defined to get password expired in 90 days. We have some accounts set to password never expiry. This parameter do not sync with Azure/Office365, so this accounts expires in 90 days in Office365 and AzureAD. We need to set manually these specifics accounts to never expiry in o3655/azure. This is so bad... We need a more complete integration of these parameters about password policy of on premisse AD with AzureAD.
-
Anthony Minardi commented
Hello
Before I get into it. I want to agree with Ann. the Switch from Password Hash to Pass Thru will get it done, But it will put a strain on your On Prem AD and if the AD goes down no one will be able to Authenticate or Log in. You will need the Service running in a High Available Setup. Just wanted to throw this out there. Another solution would instead of the Admin resetting the Passwords and then Syncing you can use Manage Engine or setup Write Back for the User to be able to Reset Passwords and it will change it on the On Prem AD and Sync to Azure AD and Office 365. I use Intune Policies to send out a Notification with a link to the Forgot My Password and when they go to the Link it changes it on site and syncs it.
Yes it is Smoke and Mirrors but the passwords do get changed every 60 days or 120 depending on your password policy.
I used that for the past few moths and it works great.
I moved the On Prem AD Servers to Azure. I now going to go from Hashing to Pass Thru due to the High Available Set for the two AAD Servers that can take the added Authentication and I dont have to worry about the Server going down they are in Azures COLO. -
Michael commented
This has been requested some time ago - is there any update on the status of this necessary functionality? I am surprised that it has not been made more of a priority by your internal security teams.
-
Anonymous commented
Allow password expiration policy to sync from on-prem AD to Azure AD. This is really bottle neck for users to use intune, AAD in their environment.. Any progress made so sar
-
Trent Rae commented
Curious if there is any updates on this. Customer came across an article released on 24 Feb stating this is in preview but I did not see anything on the aadroadmap that stated it was.
-
Jay Wolf commented
Any updates Microsoft? Please tell me you are planning to role this out by April 2020?
-
Jay Villa commented
This is a very important feature. It's affecting thousands of organizations and creating huge security loopholes. This should be #1 on Microsoft's list. Please rollout a solution.