Sync your Microsoft Entra Password Policy with On-premise AD

  • Post author:
  • Post category:Main
  • Post last modified:March 25, 2024
  • Reading time:7 mins read

In this tutorial, I will show you how to ensure your Microsoft Entra passwords expire while they are synced to your on-premises Active Directory using Microsoft Entra Connect by updating the CloudPasswordPolicyForPasswordSyncedUsersEnabled attribute.

By default, if you are syncing your on-premise users with Microsoft Entra, via Microsoft Entra Connect, your Microsoft Entra password expiration policy does not comply with your on-premise password expiration policy. This can pose some significant compliance issues and impact the end-user experience. 

Suppose you use password hash synchronisation to sync passwords between your on-premise users and their Microsoft Entra counterpart identities. In that case, you may need to ensure both passwords for on-premise and cloud expire simultaneously. By default, when your on-premise user account password expires, between the time the password expires and the user updates their password, they can still log in to their Microsoft Entra account and access Azure resources with their old password. 

This poses an significant risk, especially over holiday periods where users are unlikely to be logging into their systems. 

The Microsoft Entra Connect software will soon be replaced by Microsoft Entra Cloud Sync which is fully managed from the cloud. View my tutorial on how to migrate to Azure AD Connect cloud sync.

How Microsoft Entra password policy sync works behind the scenes

When you install Microsoft Entra Connect on-premise and sync your user identities to Microsoft Entra from Active Directory, if you leave all settings to their default default, you password expiration policy will not sync to the cloud.

Behind the scenes, when your user account is synced to Microsoft Entra, the ‘PasswordPolicies‘ attribute of the synchronised Microsoft Entra user is set to ‘DisablePasswordExpiration‘, preventing the password from expiring.

You can check the value of the PasswordPolicies attribute with the following commands by using Microsoft Graph PowerShell. If you have not used Microsoft Graph PowerShell before, use this guide to learn how to install it.

1. Firstly import the Microsoft Graph users module into your PowerShell session.

Import-Module Microsoft.Graph.Users

2. Now connect to Microsoft Graph using the least required permissions. Here I am using the User.Read.All permissions as I only need read access to the data currently.

Connect-MgGraph -Scopes User.Read.All

3. Run the following command against one of your users to view the value of the PasswordPolicies attribute.

(Get-MgUser -userid [email protected]).PasswordPolicies

For a full detailed breakdown of using the Get-MgUser cmdlet, check out my tutorial here: How To Use Get-MgUser with Microsoft Graph PowerShell

How to enable Microsoft Entra password policy sync

Now that you know the impact of leaving this disabled on our security posture and what is happening behind the scenes, let’s look at enabling this in your organisation. These commands should be run from the Microsoft Entra Connect, on-premise server.

Let us start by viewing the status of all the possible synchronisation features. For this, we will need to use the msol-service PowerShell module as there are no relevant Microsoft Graph commands to view the desired settings.

1. Start by connecting to Microsoft 365 online.
Connect-MgGraph -scope OnPremDirectorySynchronization.ReadWrite.All

2. Then run the following command to view the current Azure AD Connect feature settings.

Get-MgBetaDirectoryOnPremiseSynchronization | `
Select -ExpandProperty features | fl

From the result, we can see that the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature is disabled. Run the following to enable the feature.

$id = Get-MgBetaDirectoryOnPremiseSynchronization | Select -ExpandProperty Id

$body = @{
    Features = @{
        CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true
    }
}

Update-MgBetaDirectoryOnPremiseSynchronization `
-OnPremisesDirectorySynchronizationId $id -BodyParameter $body

Now if we run the first command again, we can see that the feature is now enabled (set to True).

How do we know this worked?

Once a user next updates their password the password policies attribute will update on their user account. You can run the following command again, against one of your users.

(Get-MgUser -userid [email protected]).PasswordPolicies

CloudPasswordPolicyForPasswordSyncedUsersEnabled

The CloudPasswordPolicyForPasswordSyncedUsersEnabled attribute is stored in the cloud as part of your Microsoft 365 tenant. 

By default, it is set to $false, which sets the PasswordPolicies attribute to DisablePasswordExpiration, as we have seen above.

This attribute is checked every time the users password syncs from Active Directory to Microsoft Entra to tell Microsoft Entra that the password expiration policy in the cloud must be ignored. This means that until your password on-premise is changed, your Microsoft Entra password will not expire.

Final important steps to finish settings up Microsoft Entra password policy sync

Now that you have enabled the feature within your Microsoft Entra Connect configuration, it is essential to know a few things. 

It is recommended that you enable this feature before you synchronise your users to Microsoft Entra. This is because once the PasswordPolicies attribute for your Microsoft Entra user is set to DisablePasswordExpiration, it is not automatically overwritten after you enable the sync.

You can use the following script to change the DisablePasswordExpiration value to none for all users who were synchronised initially before password policy sync was enabled.

Connect-MgGraph -Scopes User.ReadWrite.All

Get-MgUser -All | Where-Object { $_.OnPremisesSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’} | `
ForEach-Object {
    Update-MgUser -UserId $_.ID -PasswordPolicies None
}

Also, if you are enabling this feature, if your users are working remotely it is likely that their Microsoft Entra password will prompt for being expired while they are not in a position to update their password on-premise. 

In this event, it is essential that you have enforced strong MFA in your environment along with SSPR and password writeback for the best possible experience.

Summary

Thank you for taking the time to read my post. I hope by now you know the risks associated with leaving this feature in its default state and how to enable it in your organisation. If you are looking for more guides on Microsoft Entra Connect, I recommend you check out the following:

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply