As part of incident response, we very often reset the password of user accounts. And resetting the password of user accounts is very often done by setting the expiration of the existing password, which can be done in bulk easily via PowerShell, for example, and does not have such negative consequences as if we actually reset the password.
A common question in such a case is what happens to Microsoft Entra ID accounts when we set password expiration in Active Directory.
What happens to an Entra ID account when the account password expires in Active Directory
This is actually a very good and very important question to ask. Especially for users who have a computer added to Microsoft Entra ID and therefore do not have direct connection with Active Directory and a local account at all.
By default, the expiration of the local password will not be reflected in Microsoft Entra ID password. The password for your synced Microsoft Entra ID account is set to Never Expire. This means that even if the password in the local Active Directory expires, it is still possible to log in to Microsoft Entra ID without any problems using the old password.
There are two scenarios that can trigger the need to change your password. Either it is a regular rotation of the password due to the locally set expiration of the password validity period or it is a forced change of the password by checking the User must change password at next logon option. Neither of these options will be reflected in Microsoft Entra ID accounts by default due to the fact that passwords are set to Never Expire by default.
Password expiration policy
Let’s first take a look at how to affect the standard password expiration policy. That is, a policy that says that the password expires after 90 days, for example.
In order for the password expiration policy setting to be reflected in the Microsoft Entra ID, you need to enable CloudPasswordPolicyForPasswordSyncedUsersEnabled. This will ensure that Microsoft Entra ID accounts are subject to the password expiration policy, which is ignored by default for synced accounts. To enable the feature, we can use the following Graph PowerShell:
It is important to keep in mind that the above PowerShell does not change the policy for users, but changes the Microsoft Entra ID settings in general. So this may take some time to apply to existing accounts because the setting is applied during password synchronization process for each account which is triggered by a password change event for the account. For new accounts, the settings will take effect immediately, as they will be synchronized immediately after they are created.
For the above reason, it’s a good idea to set up the policy before you sync Microsoft Entra Connect for the first time.
And there is one more limitation – the password expiration policy is not taken automatically from Active Directory, but the setting only allows the password to expire for Microsoft Entra ID accounts. This means that if you have a password expiration policy set to 90 days locally and you want to have the same policy for Microsoft Entra ID accounts, you must set the same password expiration in Microsoft Entra ID. Password expiration for Microsoft Entra ID accounts is set in the Microsoft 365 admin portal under Settings – Org settings – Security & Privacy – Password expiration policy.
Force password change on next logon
Now we come to the second scenario, which is typical for incident response, where a change is required at the next login.
In order for temporary passwords to work when the “Force password change on next logon” option is checked, it is necessary to enable the ForcePasswordChangeOnLogOn feature by running the following command on the Microsoft Entra Connect server.
Final notes
It’s important to keep in mind that in order for the password change from the cloud to work correctly, you must have Self-Service Password Reset (SSPR) and password writeback enabled.
