Local AD password expiry not blocking Office 365 login (PHS + Writeback)

Posted by Kanolm@reddit | sysadmin | View on Reddit | 30 comments

Hello everyone,

We have an on-premises AD synced with Entra ID via Entra Connect using Password Hash Synchronization (PHS) with Password Writeback enabled.

Self-Service Password Reset (SSPR) is also working fine for our users.

However, we've noticed an issue regarding password expiration: when a user's local password expires (based on our local Default Domain Policy GPO), they can still log in to Office 365 services (Outlook Web, Teams, etc.) without any issues.

It seems Entra ID is ignoring the "expired" state from the local AD.

How can we ensure that when a password expires locally, the user is also blocked from signing in to Office 365 until they change it?

Thanks in advance for your help!

[-]

ElectroSpore@reddit

Expiration and Password complexity rules really don't sync

How can we ensure that when a password expires locally, the user is also blocked from signing in to Office 365 until they change it?

You can't but you can set the time for expiry to be the same for both separate systems.

https://admin.cloud.microsoft/

Settings>Org Settings
Security &Privacy TAB
Password expiration policy

However they keep changing how it works so check the documentation for hybrid it is always possible it has changed

https://learn.microsoft.com/en-us/entra/identity/hybrid/

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering

[-]

Frothyleet@reddit

You can't but you can set the time for expiry to be the same for both separate systems.

This is incorrect. There are two mechanisms - ADFS federation (do not do this) and pass-through-authentication (preferably with fallback to hash sync in case your on prem environment loses connectivity) using the Entra Connect agent (same one doing hash sync).

[-]

ElectroSpore@reddit

This is incorrect It is correct for OPs stated configuration of

Entra Connect using Password Hash Synchronization (PHS) with Password Writeback enabled.

As you note if you completely change your configuration to those other two methods it is possible but there are many considerations

pass-through-authentication (preferably with fallback to hash sync in case your on prem environment loses connectivity)

Did pass-through always have a fall back option or was that added later? We have been on AD sync for ages and area almost ready to go cloud / entra ID only.

[-]

Frothyleet@reddit

Given the evolution of M365 over the years I couldn't tell you it was always an option, but it's been an option at least since before the Entra rebranding

[-]

ElectroSpore@reddit

Well our config does pre-date that and I haven't had a reason to re-evaluate the primary auth method just the sync tool configurations.

[-]

Kanolm@reddit (OP)

Ok, I was on the same page, but it feels like a bit of an over-engineered mess.

[-]

DominusDraco@reddit

Are they signing in with a password, or is it just a token sign in?Because the token is still valid, the already logged in apps will stay signed in.

[-]

Kanolm@reddit (OP)

It's E1 application with web applications. So no token.

[-]

Frothyleet@reddit

He's talking about the session token (i.e. how long before MS forces your users to re-authenticate), not a FIDO token.

[-]

Prestigious-Fun-9680@reddit

Ugh yea had this same issue after moving to PHS and found this atera has a feature that lets you enforce password policies across environments, so Office 365 users get blocked until the password is updated.

[-]

Consistent_Buddy_698@reddit

Ugh yeah, had this same issue after moving to PHS and found this Atera has a feature that lets you enforce password policies across environments, so Office 365 users get blocked until the password is updated.

[-]

get-msol@reddit

You're going to want Pass Through Authentication. This will get you forced expirations and things like account expiration.

[-]

slm4996@reddit

Technically correct answer, but the better answer usually involves no longer expiring passwords and ensuring strong / 2f authentication everywhere.

Passthrough amd federated auth also don't always play nice with Entra terminated SAML / SSO apps.

[-]

Kanolm@reddit (OP)

We can't enable MFA for some users because they don't have appropriate devices.

[-]

Gumbyohson@reddit

Buy everyone a yubikey or similar for like 50 dollars for anyone that doesn't have an appropriate device.

[-]

FalconDriver85@reddit

Ok, this is the first problem to solve. And it’s an HR problem.

[-]

Asleep_Spray274@reddit

May I ask why? What is the security benefit of blocking cloud access when an AD password expires? What security risk are you mitigating?

[-]

Kanolm@reddit (OP)

We can't enable MFA for some users because they don't have appropriate devices

[-]

Asleep_Spray274@reddit

Syncing password expiration brings no mitigations for no MFA

[-]

trueppp@reddit

Why are you still making passwords expire in 2026?

[-]

Kanolm@reddit (OP)

We can't enable MFA for some users because they don't have appropriate devices

[-]

Emotional_Garage_950@reddit

buy them a hardware token

[-]

Kanolm@reddit (OP)

Not always possible

[-]

Emotional_Garage_950@reddit

our cybersecurity insurer requires it. stupid? yes…

[-]

bojack1437@reddit

The IRS still require you deal with FTI..... Got to love it.

[-]

SolidKnight@reddit

I think you're looking for Enable CloudPasswordPolicyForPasswordSyncedUsersEnabled (Implement password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID | Microsoft Learn)

[-]

Traditional_Roll_606@reddit

Implement password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID | Microsoft Learn

Enable the "CloudPasswordPolicyForPasswordSyncedUsersEnabled" feature, set a matching password policy in the cloud and apply it.

[-]

HDClown@reddit

This is what you need to do OP, it requires both steps, setting the sync option AND setting the Entra password expiration policy to match.

Keep in mind that after you do this, nothing takes effect until the next time each user's AD password is changed. If you have users today with expired AD passwords but are only using Entra auth'd services, they will be able to keep using those Entra service after the above changes are made. You will need to make them do an AD password change to get this new behavior in place.

[-]

sigil224@reddit

I don’t think anyone can say that this is anything other than a missed opportunity from Microsoft.

They could have made AzureAD/Entra a seamless transition from on-premise to cloud but decided to make changes that they could have caught, and made provisions for, making their cloud offering a worse (in hindsight) option.

Similarly for their powershell/cli commands between on-premise and cloud AD. Really frustrating.

[-]

Ferretau@reddit

You've assumed the people that built the cloud cared about the stuff that was onprem, they don't, didn't and never will.