Active Directory
A set of directory-based technologies included in Windows Server.
6,684 questions
HI, you can reference the steps here:
Force password reset as set on AD to cloud access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 59%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELE%3C/text%3E%3C/svg%3E)
Lesther Escobar
0
Reputation points
How can we enforce password resets for domain users who primarily access cloud services and infrequently, if ever, log in to domain-joined devices? While we've implemented AD-based password expiration policies, we're encountering challenges in ensuring that users who primarily interact with cloud services are complying with these policies. Given our hybrid AD/AAD environment, what strategies can be employed to effectively mandate password resets for these users?
2 answers
Sort by: Most helpful
-
Andy David - MVP 149.8K Reputation points MVP2024-11-18T19:06:25.65+00:00 -
Lesther Escobar 0 Reputation points
2024-11-19T16:29:45.7166667+00:00 Despite applying the specified command, the Entra user profile continues to display a "No Password Expiration policy" on their profile within Entra ID, I also did notice that for M365 Org settings it shows Set Password to never expire. I'm considering disabling this M365 feature. Would this action trigger immediate password resets for affected users, or would the on-premises password policy take precedence?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 33,571 Reputation points2024-11-19T23:32:41.9433333+00:00 If you sync the password from on-premise to Entra ID, You should set the same value on Maximum password age (password expiry duration) on active directory and Entra ID.
In Entra by default it's 90 days if the tenant created before 2021 and you can adjust it by using the following command
Update-MgDomainFor more information please refer to the following link :
Microsoft Entra password policies
Property Requirements Password expiry duration (Maximum password age) Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with Get-MgDomain. The value is configurable by using the Update-MgDomain cmdlet from the Microsoft Graph module for PowerShell. Password expiry (Let passwords never expire) Default value: false (indicates that passwords have an expiration date). The value can be configured for individual user accounts by using the Update-MgUser cmdlet.
Please don't forget to accept helpful answer