AD Password Change solutions?

Eaven HUANG 2,156

Dear Experts,

We are considering hardening our account security by enforcing a password change for users every 90 days. I noticed that in GPO, this policy is available under Computer Configuration only, so I'm a bit lost on how to implement this solution. I thought it should be applied to the user accounts directly?

In our scenario, we also use Office 365 and EntraID (formerly known as AAD), where users can reset their passwords online, and these changes are written back to our local DC. How can we connect these systems together to ensure a seamless password management experience?

Any advice and suggestions would be greatly appreciated.

1 answer

Marcin Policht 17,615 Reputation points MVP

2024-07-07T11:38:55.7333333+00:00

You apply it in the Default Domain Policy GPO. This will effectively enforce the configuration for all users in the domain (unless you also implement Fine Grained Password Policy). Details in https://activedirectorypro.com/how-to-configure-a-domain-password-policy/

For Entra ID, as per https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy

Password expiry duration (Maximum password age) Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with Get-MgDomain. The value is configurable by using the Update-MgDomain cmdlet from the Microsoft Graph module for PowerShell.|

If you already implement password writeback in Entra ID, then this is all that's required.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.
Eaven HUANG 2,156 Reputation points

2024-07-09T07:25:01.7566667+00:00

Hello Marcin,

Thanks for your comment. I'm quite confused but if we enforced some password policy in our on-prem AD then the policy will also be applied to the email login and all the SSO login methods on the cloud, why we still need another layer of password expiry policy on Entra ID, I thought all the policies will only be controlled by our on-prem DC.

Marcin Policht 17,615 Reputation points MVP

2024-07-09T12:02:02.18+00:00

That depends on whether you're using Password Hash Synchronization for your Entra Connect (or Cloud Sync). If so, the Entra tenant maintains its own set of credentials for users, which means users can change/reset their passwords in the Entra tenant (independently of their AD credentials). These would sync back to AD via writeback, but the fact remains that you'd want to make sure that the policy applies in both identity providers.

Besides, you would likely want to make sure that the same policy applies to cloud only user accounts as well.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Sign in to comment

Share via

AD Password Change solutions?

1 answer