When setting up Azure AD Connect and synchronize identities to Azure AD we have two different password policy’s to take care of. In local Active Directory we have a policy for local accounts but if we have an user synchronize to Azure AD they still use the local password policy as default. In Azure AD we have a password policy for cloud accounts.
When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.
| Property | Standard strength passwords | Strong passwords |
|---|---|---|
| Characters allowed | A – Z a – z 0 – 9 @ # $ % ^ & * – _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ; | |
| Characters disallowed | * Unicode characters * spaces | * Unicode characters * spaces * Cannot contain a dot character ‘.’ immediately preceding the ‘@’ symbol |
| Password restrictions | 8 characters minimum and 256 characters maximum | 8 characters minimum and 256 characters maximum Requires 3 out of 4 of the following: * Lowercase characters * Uppercase characters * Numbers (0-9) * Symbols (see password restrictions above) |
| Password expiry duration | Default value: 90 days | |
| Password expiry notification | Default value: 14 days (before password expires) | |
| Password Expiry | Default value: false days (indicates that password expiry is enabled) | |
| Password history | Last password cannot be used again. | |
| Password history duration | Forever | |
| Account Lockout | After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon. | |
Is it possible to change the cloud password policy?
Yes, you can change it in https://admin.microsoft.com or by PowerShell There is two options. Configure tenant wide or by domain name.
# Per tenant
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14
# Per domain
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName "alden365.se"What happened if a user password expires?
User cannot sign-in to Active Directory but they can still use Azure AD sign-ins. All users that are synced to Azure AD change the value automatedly to not use the cloud password policy. To get rid of this we need to change from local password policy to Azure AD password policy. To enable the “EnforceCloudPasswordPolicyForPasswordSyncedUsers”
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
cmdlet Set-MsolDirSyncFeature at command pipeline position 1
Supply values for the following parameters:
Enable: yes
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): yWhen this settings are enabled. The user are still configured for none cloud password policy. This settings will not be changed with AD Connect sync delta or initial. You have two options to solve this.
- Run a PowerShell cmdlets to replace the parameter none.
(Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies “DisablePasswordExpiration“) - Change password on user in local Active Directory
What happened if a user have the checkbox “Force Password Change on Next Logon”?
In Active Directory the account can sign-in and change the password. In cloud you are not able to sign-in. Run below commands to setup synchronizing temporary passwords to Azure AD.
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $trueWhat happened if a user is disabled?
If a user is disabled in Active Directory. It will also show that the user are blocked to sign-in.
What happens if an account expiration?
In Active Directory you cannot use the account anymore but in AzureAD the user can still sign in and use all application for ever. To solve that we need to stop use this function or create a trigger on domain controller to run a PowerShell script to disabled the AzureAD account with the “Set-AzureADUser” cmdlet.
To get an better protection against password. Install and configure the AzureAD Password Protection. There is an option to add custom banned password and install an integration to on-prem Active Directory.
Deploy Password protection
Download the files on this path.
https://www.microsoft.com/en-us/download/details.aspx?id=57071
Start to install the proxy on one of the domain controller
AzureADPasswordProtectionProxySetup.exe
Start PowerShell and run below commands.
Import-Module AzureADPasswordProtection
Get-Service AzureADPasswordProtectionProxy | fl
Register-AzureADPasswordProtectionProxy -AccountUpn 'john.doe@alden365.onmicrosoft.com'
Register-AzureADPasswordProtectionForest -AccountUpn 'john.doe@alden365.onmicrosoft.com’Install the agent
AzureADPasswordProtectionDCAgentSetup.msi
It can take up to 24h before this will work. Have patience. Hope this will explain some confusions for you.
Microsoft 365 Tech blog 
Hi Daniel,
Thank you for this article it is very useful. Just wondered if I can pick your brain.
We have our on premise AD syncing to Azure, the client machines are Azure AD Joined and users login with their Microsoft/365 accounts. We have our password policy local and as per your article this is correct as when users are synced this policy overrides the Azure. However our main concern/issue is the expiry prompt just no longer seems to work (Consider changing your password it will expire in 90 days). So passwords are expiring but the users aren’t aware and are being locked out of all services.
Do you know if there is a way to get the prompt working?
We just need the users to be informed they need to change their password.
Thank you in advance
LikeLike
Hi Ross,
The only way to solve this issue is to change to the cloud password policy. You can read more about that on this link.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#password-expiration-policy
LikeLike