Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland
+48 502 469 760
contact@evotec.pl

AzureAD – Enable Password Expiration with Password Hash Synchronization

AzureAD – Enable Password Expiration with Password Hash Synchronization
img_5e5255c051763
By Przemyslaw Klys Active Directory Azure AD PowerShell February 24, 2020

Azure AD Connect allows three ways to make sure the user password is the same in Active Directory and Office 365. Those are Password Hash Sync, Pass-Thru Authentication, and ADFS. While my preferred option to go with would be Pass-Thru Authentication, only Password Hash Synchronization is the easiest and least resource-intensive. It synchronizes user password to Office 365, and even if your Active Directory is down, you can still log in to Office 365. It's perfect for small and even more significant companies that don't have resources or can't guarantee that their infrastructure will stay 100% time online so users can authenticate based on their Active Directory.

Password Hash Synchronization - Why it's a problem?

While password hash synchronization works great, it had one huge drawback. It sets the password to never expire in Office 365 regardless of what you've set up in your Active Directory. While it may not be a massive problem for some companies, it's not the same for all of them. Recent Microsoft recommendations are saying that you should set your Passwords to Never Expire, use complicated passwords and MFA (Multi-Factor Authentication). However, just because Microsoft says so doesn't mean internal rules and country laws do not require differently. If that wasn't enough, there's also another issue. If your password expires in Active Directory, it doesn't expire in Office 365. This means that while your user can't log in to Active Directory resources, he/she can still use Office 365.

Password Hash Synchronization - How to make passwords expire?
Public Preview
Please keep in mind features described here, while working are in Public Preview. It's unlikely Microsoft will remove it, but keep this in mind.

Till some time ago, there was no hope for a change, but it seems Microsoft has enhanced Password Hash Synchronization functionality. It's not readily available, and you can't just press a button in Azure AD Connect and have it enabled. You can use PowerShell to do so instead. As you can see below, there's a new option called EnforceCloudPasswordPolicyForPasswordSyncedUsers. By default, it's disabled.

Knowing this feature exists we can enable it.

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true

Now that we've enabled password policy for password synchronized users we can verify per user settings

Get-AzureADUser | Select-Object DirSyncEnabled, PasswordPolicies, AccountEnabled

As you see, by default, the PasswordPolicy for synchronized users is still DisablePasswordExpiration. In our case we need to set it to None.

Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq 'DisablePasswordExpiration' } | ForEach-Object {
    Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None
}

Keep in mind that in some cases having PasswordNeverExpire may be required (service accounts or similar). Make sure that you modify the code above to accommodate that for your environment.

Just in case you want to verify what is the password policy applied to your users, following PowerShell command will show you the required details

Get-MsolPasswordPolicy –DomainName evotec.pl
Przemyslaw Klys / About Author
System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.
More posts by Przemyslaw Klys

Related Posts

ConvertTo-HTML
Solving typo problems with Fuzzy Search in PSWriteHTML
One of the everyday use cases with PSWriteHTML is to create a simple view of PowerShell data in a table. While PowerShell comes with a built-in cmdlet ConvertTo-Html, it’s basic in its functionality. It makes an HTML representation of PowerShell data, but it brings no CSS, JavaScript, or other functionality. While for some use cases, it’s enough, the other times, you need to make an effort to make it usable.
29 Nov 2021
Formatting and minifying resources (HTML, CSS, JavaScript) with PowerShell
When you work with HTML, CSS, and JavaScript, you often meet three versions on how those are stored in files – minified, formatted, somewhere in the middle (usually a total mess). I have all three versions in my PSWriteHTML module. Some are minified 3rd party resources, some are generated by my PowerShell commands (and are a total mess when it comes to formatting), and finally, some are formatted resources by using built-in VSCode features. In whatever form they are, they generally have no impact on how browsers display them. Browsers will read them in any kind and not care for how they look.
11 Aug 2019
PowerBGInfo
PowerBGInfo – PowerShell alternative to Sysinternals BGInfo
When I created ImagePlayground, I thought about how to show its usefulness to the general community. On how to deliver what PowerShell can do. Then I saw on some forum people asking BGInfo to expand and allow running PowerShell scripts so that the data on the BGInfo Wallpaper can be gathered from PowerShell rather than VBS. I thought this was a great idea to create BGInfo using PowerShell without the necessity of using BGInfo at all.
01 Jan 2023
Dashimo
Meet Dashimo – PowerShell Generated Dashboard
Today I wanted to introduce a little product that I’ve created in the last few weeks called Dashimo. It doesn’t cover everything I wanted from it (feature wise), but it already can be used in production. Therefore, I thought it would be a good idea to get some feedback on whether I should spend some more time on it or throw it in the dumpster. Dashimo joins it’s older brother Statusimo of PowerShell modules allowing an easy way to build HTML output. If it will feel familiar, it’s because it was inspired with Bradley Wyatt PowerShell script he did. It gave me the idea of how I would like to build something similar but in a bit different way then he did, with much more flexibility. Still, if it wasn’t for him, the idea wouldn’t be there, therefore you should send him your thanks.
01 Apr 2019
PSWritePDF
Merging, splitting and creating PDF files with PowerShell
We’re in the last days of 2019, and this will be my last blog post this year. What better way to end a good year than with the release of the new PowerShell module. If the title of today’s blog post isn’t giving it up yet, I wanted to share a PowerShell module called PSWritePDF that can help you create and modify (split/merge) PDF documents. It joins my other PowerShell modules to create different types of documents such as PSWriteWord, PSWriteExcel, PSWriteHTML. I know that PSWriteExcel is relatively basic, but both PSWriteHTML and PSWriteWord deliver robust build capabilities.
29 Dec 2019
Strengthening Password Security in Active Directory: A PowerShell-Powered Approach
PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.
28 May 2023
Preparing Azure App Registrations permissions for Office 365 Service Health
As you may have seen in my other post, there’s a simple, PowerShell way to get Office 365 Health Service data for you to use any way you like it. But before you can use that, you need to register granular permissions on your Office  365 tenant so that that data is provided to you. Here’s a step by step way to do it.
22 Apr 2019
Import-PSSession
Office 365 – Using dynamic variable as prefix for Office 365 commands
29 Oct 2018
MicrosoftExchange
Exchange 2013 powershell errors out, and Exchange 2013 ECP doesn’t work correctly
0
22 Mar 2015
Azure Health
Getting Azure Health by parsing HTML using PSParseHTML
Some time ago I’ve wrote PowerShell way to get all information about Office 365 Service Health, and if you were thinking that I would try the same concept for Azure Services you were right. However, I failed. This is because Office 365 Health can be gathered using Microsoft Graph API, and Azure Health information, as far as I know, is not available in the form I wanted it. Azure Status is available as part of Azure Status website. Contrary to Office 365 health you don’t have to login to your Office 365 tenant to read it.
08 Dec 2019
Track Ubiquiti Unifi Stock, and get notified of changes
I am a pretty big fan of Ubiquiti and their Unifi products line. Whether it’s network equipment or their camera systems, Unifi Protect, I have it all, and I’m pretty happy with how it works. However, over the last two years, some of their stocks in the store were very hard to find. For example, I’ve searched for Unifi Protect G4 Doorbell Pro for over six months. I’ve tried local shops all around Europe, even in the Ubiquiti Europe store, to never found any of them.
16 Apr 2023
Office 365 Health Service
Office 365 Health Service using PowerShell
Two years ago, I wrote a PowerShell module called PSWinDocumentation.O365HealthService. The idea was simple – replicate Health Service data Microsoft offers in Office Portal so you can do with data whatever you want and display it however you like. I’ve written about it in this blog post. A few weeks back, someone reported that the module stopped working, and  I’ve confirmed it indeed no longer works! Initially, I thought that maybe some data format changed, as it changed multiple times, or perhaps the date format was wrong again, but no. Microsoft has deprecated Office 365 Service Communications API reference and instead tells us that Service Health is now only available via Microsoft Graph API. Is it only me who didn’t get the memo about this?
14 Feb 2022
Monitoring LDAPS connectivity/certificate with PowerShell
Some time ago, I wrote a blog post on checking for LDAP, LDAPS, LDAP GC, and LDAPS GC ports with PowerShell. It mostly works, but it requires a tad bit of effort, and it doesn’t cover the full scope that I wanted. Recently (well over 3 years ago), Chris Dent shared some code that verifies the LDAP certificate, and I thought this would be good to update my cmdlets to support just that with a bit of my own magic on top.
02 Mar 2021
Microsoft Azure
Azure ADConnect Export Failed – Permission-issue error
0
08 Oct 2017
Markdown to HTML using PSWriteHTML
Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module
In today’s digital age, the ability to create compelling and informative HTML reports and documents is a crucial skill for professionals in various fields. Whether you’re a data analyst, a system administrator, a developer, or simply someone who wants to present information in an organized and visually appealing manner, having the right tools at your disposal can make all the difference. That’s where the PSWriteHTML PowerShell module steps in, offering an array of possibilities to suit your reporting needs.
03 Sep 2023