segunda-feira, 9 de novembro de 2020

Cloud Password Expiration Policy with Synchronized Users - O365

 

I have brought the steps to enable the password expiration for the users in Office 365. Synchronized users and not synchronized. No On-prem policy nor On-prem user will be touched.

About the synchronized users, we can make them obey the Expiration Policy in the cloud.

 

So, I suggest to first enable the password expiration policy for cloud users and after that Enable Password Expiration for Office 365 Synchronized Users.

The result will be that Cloud users not synced are going to obey the expiration policy and also the Office 365 synced users. Synced users will have to change their password in On-prem Active Directory. If you have password write-back feature enabled they will also be able to change the password online.

 

Enable Password Expiration for Cloud Users

To enable password expiration for cloud users, check the print below:

* Note that this will only affect new cloud users. Synced users and existent cloud users won´t be affected. 

 



 

To set the already existent cloud users to expire the password, it will be necessary to run a command for each cloud user:

set-MsolUser -UserPrincipalName user@domain.onmicrosoft.com -PasswordNeverExpires:$False -StrongPasswordRequired:$True

 

 

Enable Password Expiration for Office 365 Synchronized Users

To enable password expiration in office 365 for synchronized users, run the following command on a Powershell prompt of the AADConnect Server:

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

                Enable Yes

 

After running the above command and after the users change their password on-prem, the cloud password will start to expire according described in “Enable Password Expiration for Cloud Users” session above.

 

Usefulness

=========================

You get the best of it when you align your Local AD Password Expiration with Office 365 Password Expiration Policy and have Password Write Back configured.

 

 

Documents

=========================

Set the password expiration policy for your organization

https://docs.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide

 

Password expiration policy

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#password-expiration-policy

 

Tutorial: Enable Azure Active Directory self-service password reset writeback to an on-premises environment

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

 

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)