Allow password expiration policy to sync from on-prem AD to Azure AD
Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.
We are currently investigating how we can best implement this feature.
Luca Fabbri commented
even if it still is in "PLANNED" there is something you can already implement. I suggest to read this Microsoft Tech Community post https://techcommunity.microsoft.com/t5/office-365/password-expiration-with-aad-connect-password-hash-sync/m-p/1427851#M28874 (@Timothy Balk & @lucafabbri365 replies).
ridiculous that this was not enforced by design from the beginning of AADC and that this is still "planned" to be implemented for more than a year now.
Glenn Gilley commented
I'm looking for this exact thing as well. I was actually shocked when I was told users with expired passwords in our AD were still accessing O365 with no problem. Please get something with AD Connect working to make this work in a supported manner! I'd prefer not to have to rely on custom PowerShell scripts running forever.
We have PHS sync activate and policy password on premisse and in Office365/Azure defined to get password expired in 90 days. We have some accounts set to password never expiry. This parameter do not sync with Azure/Office365, so this accounts expires in 90 days in Office365 and AzureAD. We need to set manually these specifics accounts to never expiry in o3655/azure. This is so bad... We need a more complete integration of these parameters about password policy of on premisse AD with AzureAD.
Anthony Minardi commented
Before I get into it. I want to agree with Ann. the Switch from Password Hash to Pass Thru will get it done, But it will put a strain on your On Prem AD and if the AD goes down no one will be able to Authenticate or Log in. You will need the Service running in a High Available Setup. Just wanted to throw this out there. Another solution would instead of the Admin resetting the Passwords and then Syncing you can use Manage Engine or setup Write Back for the User to be able to Reset Passwords and it will change it on the On Prem AD and Sync to Azure AD and Office 365. I use Intune Policies to send out a Notification with a link to the Forgot My Password and when they go to the Link it changes it on site and syncs it.
Yes it is Smoke and Mirrors but the passwords do get changed every 60 days or 120 depending on your password policy.
I used that for the past few moths and it works great.
I moved the On Prem AD Servers to Azure. I now going to go from Hashing to Pass Thru due to the High Available Set for the two AAD Servers that can take the added Authentication and I dont have to worry about the Server going down they are in Azures COLO.
This has been requested some time ago - is there any update on the status of this necessary functionality? I am surprised that it has not been made more of a priority by your internal security teams.
Allow password expiration policy to sync from on-prem AD to Azure AD. This is really bottle neck for users to use intune, AAD in their environment.. Any progress made so sar
Trent Rae commented
Curious if there is any updates on this. Customer came across an article released on 24 Feb stating this is in preview but I did not see anything on the aadroadmap that stated it was.
Jay Wolf commented
Any updates Microsoft? Please tell me you are planning to role this out by April 2020?
Jay Villa commented
This is a very important feature. It's affecting thousands of organizations and creating huge security loopholes. This should be #1 on Microsoft's list. Please rollout a solution.
Brenk van, Edwin commented
"This is a design Behavior.
There is no attribute such as passwordexpire which will tell office 365 that the password is expired."
So, when you are using Password Hash synchronization, the “expired password” detail isn’t synced to AAD and hence users can continue to sign in.
So basically the password needs to be updated and sync should be run so that the new password is synced to cloud.
This is one way.
Given the situation, why not switch the Authentication method from Password Hash to Pass-Through Authentication. This will meet the desired requirement.
Hello, even if PasswordNeverExpires=True when password sync is enabled (AADConnect), however, Azure let change the attribute to False via PowerShell, can it be considered a workaround? Will it inherit the password expiration policy set in Azure AD ?
We are currently investigating how we can best implement this feature.
Rob de Jong (Azure AD IAM) commented
The best way to enforce on premises password expiration policies is to switch over to Pass Thru Authentication. We're currently not planning to implement syncing the on prem authentication policies to AAD.
Really? What is the big deal in synchronizing couple of new attributes and adding a logic to use block sign in based on the attributes.
Holy freaking heck... this is annoying. Why would you even consider it a good idea to continue to allow expired users login rights? Talking about a bad freaking idea. MSFT - Honor OnPrem AD Password Expiration Dates... How hard is it?
In our support case, MSFT advises powershell to set users to blocked login until they change their password, and then wait for the script to run again to unblock them.
Pierre Minnis commented
This request is really important and i want to add our scenario. For help desk to function, they need to be able to reset passwords for people who can't get it done themselves. Also, when a helpdesk person sets a user's password, it has to be expired so the user is forced to reset it or else the help desk worker knows what the password is. The AAD role for password administrator doesn't work well for password hash customers with large directories. We have some on prem accounts with permissions that we don't want help desk to be able to reset (from the azure portal, there's no good scoping capability). I think for customers who have password writeback set, AD connect should provide the option to sync password expiration to AAD accounts. Even if the initial password change expiration is not instantaneous (could wait for next sync), the help desk could give the user a temporary password with an understanding they'll have to change it "soon"
Robin K. commented
Thanks a lot Peter for this feedback, although it is not fully satisfying for me, but comprehensible.
Thanks for the other ideas and workarounds as an option.
Peter Selch Dahl commented
Some great feedback:
Feedback: An expired account isn't a "real" attribute in AD so Connect by itself cannot do it. That is why PTA was introduced. The only other option for password sync would be to sync the attribute as-is and let Azure AD evaluate the date and not allow sign-in when it has expired.
Feedback from Andreas!
@Chun Yong Chua.