In hybrid environments, where we work with both on-premises Active Directory and Entra ID, various issues can arise. These problems can range in severity – from minor user synchronization inconsistencies to more complex architectural challenges.
Today, I want to focus on a serious security gap – one that, if left unaddressed, could expose the environment to significant risk.
When managing user identities, we know that multiple policies govern their accounts. These include rules related to account lifetime, password complexity, and password expiration. The last one – password expiration is especially important in hybrid environments.
Here’s the issue: when users are synchronized from on-premises Active Directory to Entra ID, the password policies applied in AD are not synchronized to the cloud. This creates a potential security gap.
Imagine a user whose password has expired in the on-premises Active Directory. In theory, that account should be locked out until the password is updated. However, in practice, the user’s password in Entra ID remains active. As a result, the same user can still access all connected cloud applications – even though their on-premises password has expired.
That’s a significant security risk that deserves immediate attention. So what can be done?
By default, for accounts synchronized from on-premises AD to Azure, the Password policies setting is configured as Disable Password Expiration. This means that synchronized passwords never expire. To change this behavior, it’s necessary to enable the feature called CloudPasswordPolicyForPasswordSyncedUsersEnabled – it allows Microsoft Entra ID to apply its own password policies — such as expiration and lockout — to users whose passwords are synchronized from on-premises Active Directory.
By enabling this feature, you ensure that on-premises password rules and Microsoft Entra password policies remain consistent for synchronized users.
If you have synchronized users who primarily use Microsoft Entra integrated services and need to comply with password expiration requirements, activating the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature enforces your Entra password expiration policy for those accounts.
To check which value is set in the PasswordPolicies attribute, you can go to Azure Portal, choose one user and check the account properties:
You can also use the PowerShell command which uses Microsoft Graph:
Connect-MgGraph -Scopes "User.ReadWrite.All"
(Get-MgUser -UserId "<UPN or Object ID>" -Property PasswordPolicies).PasswordPoliciesTo enable the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature, you should run the following commands also using Microsoft Graph modules:
Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"
$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true
Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $OnPremSync.Id -Features $OnPremSync.FeaturesNote that if you decide to enable this feature, it will be enabled on the whole tenant. You cannot pick several accounts for test purposes.
Once the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature is activated, Microsoft Entra ID does not immediately remove the DisablePasswordExpiration flag from the PasswordPolicies attribute for existing synchronized users.
This value is cleared only after the next password hash synchronization, which occurs when the user changes their password in the on-premises Active Directory.
In addition, newly synchronized users will no longer have the PasswordPolicies attribute set in the cloud.
Tip: Make sure to communicate this behavior to your users and plan password updates accordingly to ensure policy alignment
Remember that turning on CloudPasswordPolicyForPasswordSyncedUsersEnabled does not automatically import or replicate your on-premises Active Directory password policies into Microsoft Entra ID.
You’ll still need to manually configure Azure AD’s password expiration settings to align with your on-premises policy (if they aren’t already consistent).
This feature simply ensures that Microsoft Entra ID enforces its own configured password policies for synchronized users — it doesn’t copy or inherit rules from your local AD. To update the Microsoft Entra password policy, you can use the following command:
Update-MgDomain -DomainId "<domain name>" -PasswordValidityPeriodInDays <Int32> [-PasswordNotificationWindowInDays <Int32>]What about the on-premises service accounts with the password never expires flag? If their passwords are not changed when the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature is enabled, they will not be affected by the policy. But if you want to be sure that their password remains unchanged, you must manually set those accounts with the DisablePasswordExpiration flag in Entra ID after enabling the feature using the command:
Update-MgUser -UserID "<UPN or Object ID>" -PasswordPolicies "DisablePasswordExpiration"If enabling this feature leads to unexpected issues or if your organization decides to revert the change, you can easily roll back. Rolling back simply involves disabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature. This restores the previous behavior, where synchronized users’ passwords no longer expire in Microsoft Entra ID.
To confirm the rollback, select a test user who was previously subject to password expiration and force a password change in on-premises Active Directory. After the next synchronization, check the user’s PasswordPolicies attribute in Entra ID — it should now show DisablePasswordExpiration, indicating that Azure AD Connect has resumed setting the never-expire flag during sync.
This verification step confirms that the environment has successfully returned to its original configuration.
As you can see, In hybrid environments, enabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature is crucial because it ensures consistent security policies between on-premises Active Directory and Microsoft Entra ID. This way, synchronized users follow the same password expiration and lockout rules as native cloud accounts.
This not only enhances security and compliance with organizational policies but also simplifies password management and reduces the risk of having users with passwords that never expire in the cloud.
All the commands are taken from: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization
Leave a Reply