Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Active Directory?

← Azure Active Directory

Allow password expiration policy to sync from on-prem AD to Azure AD

Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.

256 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Jeremy Burke shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

36 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    The EnforceCloudPasswordPolicyForPasswordSyncedUser capability is a definite help here, but would additionally like to see the ability to sync on-premises PasswordNeverExpires to Azure AD DisablePasswordExpiration policy.

    Original PHS behavior - Azure creds never expire.
    EnforceCloudPasswordPolicyForPasswordSyncedUser - Azure creds always expire.
    Desired behavior -- option to synchronize on-premises password never expires so that Azure expiration matches.

  • Anonymous commented  ·   ·  Flag as inappropriate

    It's officially been over a year since the Azure AD Team posted their comment. Any update at all would be appreciated. This is a huge inconvenience and security concern.

  • pinki patel commented  ·   ·  Flag as inappropriate

    Is it still true password expiration still not syncing to AAD with newer version of AD connect?

  • AADCisTheNewDirSync commented  ·   ·  Flag as inappropriate

    ridiculous that this was not enforced by design from the beginning of AADC and that this is still "planned" to be implemented for more than a year now.

  • Glenn Gilley commented  ·   ·  Flag as inappropriate

    I'm looking for this exact thing as well. I was actually shocked when I was told users with expired passwords in our AD were still accessing O365 with no problem. Please get something with AD Connect working to make this work in a supported manner! I'd prefer not to have to rely on custom PowerShell scripts running forever.

  • Juliano Rocha Sens commented  ·   ·  Flag as inappropriate

    We have PHS sync activate and policy password on premisse and in Office365/Azure defined to get password expired in 90 days. We have some accounts set to password never expiry. This parameter do not sync with Azure/Office365, so this accounts expires in 90 days in Office365 and AzureAD. We need to set manually these specifics accounts to never expiry in o3655/azure. This is so bad... We need a more complete integration of these parameters about password policy of on premisse AD with AzureAD.

  • Anthony Minardi commented  ·   ·  Flag as inappropriate

    Hello
    Before I get into it. I want to agree with Ann. the Switch from Password Hash to Pass Thru will get it done, But it will put a strain on your On Prem AD and if the AD goes down no one will be able to Authenticate or Log in. You will need the Service running in a High Available Setup. Just wanted to throw this out there. Another solution would instead of the Admin resetting the Passwords and then Syncing you can use Manage Engine or setup Write Back for the User to be able to Reset Passwords and it will change it on the On Prem AD and Sync to Azure AD and Office 365. I use Intune Policies to send out a Notification with a link to the Forgot My Password and when they go to the Link it changes it on site and syncs it.
    Yes it is Smoke and Mirrors but the passwords do get changed every 60 days or 120 depending on your password policy.
    I used that for the past few moths and it works great.
    I moved the On Prem AD Servers to Azure. I now going to go from Hashing to Pass Thru due to the High Available Set for the two AAD Servers that can take the added Authentication and I dont have to worry about the Server going down they are in Azures COLO.

  • Michael commented  ·   ·  Flag as inappropriate

    This has been requested some time ago - is there any update on the status of this necessary functionality? I am surprised that it has not been made more of a priority by your internal security teams.

← Previous 1

Azure Active Directory: Azure AD Connect

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice