In this article, we are outlining the steps to enable ‘CloudPasswordPolicyForPasswordSyncedUsersEnabled’ for syncing users using both Microsoft Graph PowerShell module and MSOnline module.
When using password hash synchronization with Microsoft Entra Connect Sync, by default, all users that are in sync scope are synced with password set to Never Expire in cloud. This means that the password expiration policy you have on local Active directory and in Microsoft 365, are ignored for synced users.
You may not notice this until you run into a scenario where a user’s password on-premise expires and they can still access cloud resources (office.com or any office application/resource tied to Entra ID) with the same password without any issues.
Check whether CloudPasswordPolicyForPasswordSyncedUsersEnabled is enabled on the tenant
Install the Microsoft Graph PowerShell module. We will be using the Microsoft Graph beta module for the steps below.
Install-Module Microsoft.Graph.Beta -Repository PSGallery -Force
Connect to the directory using the permission (scopes) required using a Global admin account.
Connect-mggraph -scopes OnPremDirectorySynchronization.Read.All
Run the following commands to view properties and relationships of the onPremisesDirectorySynchronization object.
$Status = Get-MgDirectoryOnPremiseSynchronization $Status.Features | fl
The output will look something like below if you have not made any changes. CloudPasswordPolicyForPasswordSyncedUsersEnabled will have a value ‘False’ (default value) which means Entra connect sets the syncing users’ password to ‘Never expire’ each time the password is synced.
Set CloudPasswordPolicyForPasswordSyncedUsersEnabled to ‘True’ using Graph Powershell Module.
Install and connect to the Microsoft Graph Powershell SDK.
Connect-mggraph -scopes "OnPremDirectorySynchronization.ReadWrite.All"
Now run the following commands to set the policy to follow your cloud password expiration policy set in Microsoft 365.
$OnPremSync = Get-MgDirectoryOnPremiseSynchronization $OnPremSync.Features.UserForcePasswordChangeOnLogonEnabled = $true Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $OnPremSync.Id -Features $OnPremSync.Features
Make sure the password expiration you have in Microsoft 365 matches your on-premise password expiration.
There is a catch.
If you are performing the steps above before you do the initial synchronization via Entra connect (Azure AD connect), it will sync all users with their password expiration set to follow cloud password policy.
However, if you are doing it after the initial synchronization (doesn’t matter if it is 1 day or 2 years), Entra ID will not go through each synced user and set their password to ‘Never expire’. It will only happen, when the password of a user is changed next time on-premise ie., when the next password hash sync for a user happens.
You can force a password changed for all user’s on-premise, and let it set for all users. I will not be covering the steps to force user password to be changed via PowerShell in this article. I will keep it for another blog post.
Steps to set syncing user password expire to follow cloud policy using MSOnline PowerShell module
Before going into this, please note that MSOnline PowerShell module is deprecated. But, it will continue to work till March 30, 2025 as documented by Microsoft.
Step 1: Install the module
Install-module Msonline
Step 2: Connect using a global administrator account in Entra ID.
Connect-MsolService
Step 3: Check the current status of the EnforceCloudPasswordPolicyForPasswordSyncedUsers flag
Get-MsolDirSyncFeatures
Step 4: Now run the commands to enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true
You may now run the step 3 again to check the status of the flag. I know, much simpler than the graph module – you will be missed MSonline module!
References
Leave a Reply