Password policy considerations in Synced Active Directory

There are two types of password policies that are affected by enabling password hash synchronization:

• Password complexity policy
• Password expiration policy

When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Microsoft Entra services.

If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.

If there are synchronized users that only interact with Microsoft Entra integrated services and must also comply with a password expiration policy, you can force them to comply with your Microsoft Entra password expiration policy by enabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature (in the deprecated MSOnline PowerShell module it was called EnforceCloudPasswordPolicyForPasswordSyncedUsers).

When CloudPasswordPolicyForPasswordSyncedUsersEnabled is disabled (which is the default setting), Microsoft Entra Connect updates the PasswordPolicies attribute of synchronized users to "DisablePasswordExpiration". This update is done every time a user's password is synchronized and instructs Microsoft Entra ID to ignore the cloud password expiration policy for that user. You can check the value of the attribute using the Microsoft Graph PowerShell module with the following command:

(Get-MgUser -UserId <User Object ID> -Property PasswordPolicies).PasswordPolicies

To enable the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature, run the following commands using the Graph PowerShell module:

$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true

Update-MgDirectoryOnPremiseSynchronization `
  -OnPremisesDirectorySynchronizationId $OnPremSync.Id `
  -Features $OnPremSync.Features 

Once enabled, Microsoft Entra ID doesn't go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.

After the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature is enabled, new users are provisioned without a PasswordPolicies value.

The default Microsoft Entra password policy doesn't require users to change their passwords. If the policy in your on-premises Active Directory is different, you can update the Microsoft Entra password policy to match by using the Update-MgDomain PowerShell command.

Microsoft Entra ID supports a separate password expiration policy per registered domain.

Caveat: If there are synchronized accounts that need to have nonexpiring passwords in Microsoft Entra ID, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute of the user object in Microsoft Entra ID. You can add this value by running the following command:

Update-MgUser -UserID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"`

More Information: Implement password hash synchronization with Azure AD Connect sync | Microsoft Docs