When setting up Azure AD Connect and synchronize identities to Azure AD we have two different password policy’s to take care of. In local Active Directory we have a policy for local accounts but if we have an user synchronize to Azure AD they still use the local password policy as default. In Azure AD we have a password policy for cloud accounts.

When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.

PropertyStandard strength passwordsStrong passwords
Characters allowedA – Z
a – z
0 – 9
@ # $ % ^ & * – _  + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;
Characters disallowed

* Unicode characters 
* spaces
* Unicode characters 
* spaces
* Cannot contain a dot character ‘.’ immediately preceding the ‘@’ symbol
Password restrictions8 characters minimum and 256 characters maximum8 characters minimum and 256 characters maximum

Requires 3 out of 4 of the following:

* Lowercase characters
* Uppercase characters 
* Numbers (0-9)
* Symbols (see password restrictions above)
Password expiry durationDefault value: 90 days
Password expiry notificationDefault value: 14 days (before password expires)
Password ExpiryDefault value: false days (indicates that password expiry is enabled)
Password historyLast password cannot be used again.
Password history durationForever
Account LockoutAfter 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

Is it possible to change the cloud password policy?
Yes, you can change it in https://admin.microsoft.com or by PowerShell There is two options. Configure tenant wide or by domain name.

# Per tenant
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14

# Per domain
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName "alden365.se"

What happened if a user password expires?
User cannot sign-in to Active Directory but they can still use Azure AD sign-ins. All users that are synced to Azure AD change the value automatedly to not use the cloud password policy. To get rid of this we need to change from local password policy to Azure AD password policy. To enable the “EnforceCloudPasswordPolicyForPasswordSyncedUsers”

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
cmdlet Set-MsolDirSyncFeature at command pipeline position 1
Supply values for the following parameters:
Enable: yes
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

When this settings are enabled. The user are still configured for none cloud password policy. This settings will not be changed with AD Connect sync delta or initial. You have two options to solve this.

  • Run a PowerShell cmdlets to replace the parameter none.
    (Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies “DisablePasswordExpiration“)
  • Change password on user in local Active Directory

What happened if a user have the checkbox “Force Password Change on Next Logon”?
In Active Directory the account can sign-in and change the password. In cloud you are not able to sign-in. Run below commands to setup synchronizing temporary passwords to Azure AD.

Set-ADSyncAADCompanyFeature  -ForcePasswordChangeOnLogOn $true

What happened if a user is disabled?
If a user is disabled in Active Directory. It will also show that the user are blocked to sign-in.

What happens if an account expiration?
In Active Directory you cannot use the account anymore but in AzureAD the user can still sign in and use all application for ever. To solve that we need to stop use this function or create a trigger on domain controller to run a PowerShell script to disabled the AzureAD account with the “Set-AzureADUser” cmdlet.

To get an better protection against password. Install and configure the AzureAD Password Protection. There is an option to add custom banned password and install an integration to on-prem Active Directory.

Deploy Password protection

Download the files on this path.

Start to install the proxy on one of the domain controller

Start PowerShell and run below commands.

Import-Module AzureADPasswordProtection
Get-Service AzureADPasswordProtectionProxy | fl
Register-AzureADPasswordProtectionProxy -AccountUpn 'john.doe@alden365.onmicrosoft.com'
Register-AzureADPasswordProtectionForest -AccountUpn 'john.doe@alden365.onmicrosoft.com’

Install the agent

It can take up to 24h before this will work. Have patience. Hope this will explain some confusions for you.