Forum Discussion
Solved
Windows AD account password expired but user can still send/receive email and use Teams
Hi.
I recently discovered that some users with expired AD passwords are still working as if nothing has changed, which caught me by surprise. All the users affected do not use the VPN on a regular basis, or sign into Office 365. They all use desktop office for their email (Outlook) and chats (Teams). We are all still working from home.
It appears as if a user is only challenged to update their expired password once they physically authenticate against the domain controller(s). But what if they never do? This means a user with an expired password will continue to send/receive emails and send chats in Teams regardless of when their password expired, unless they perform some form of "logon".
I ran a PowerShell script to elucidate more and found that we have dozens of users in this boat. Some users have passwords that expired YEARS ago!
Is this by design? In that the password expiration attribute is pointless until said account actively connects or authenticates to the domain? Why is the "expiration" attribute not part of the user SID? I'm baffled.
We have on premise domain controllers which syncs out to Office 365 via ADSync and this is syncing fine with no errors, including password sync.
Any help appreciated.
- Hello Fnanfne
Please have a look at the article below
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers
https://docs.microsoft.com/en-us/answers/questions/721416/password-expiration-with-aad-connect-password-hash.html
https://techcommunity.microsoft.com/t5/office-365/password-expiration-with-aad-connect-password-hash-sync/m-p/329248
Cheers
- Hello Fnanfne
Please have a look at the article below
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers
https://docs.microsoft.com/en-us/answers/questions/721416/password-expiration-with-aad-connect-password-hash.html
https://techcommunity.microsoft.com/t5/office-365/password-expiration-with-aad-connect-password-hash-sync/m-p/329248
CheersEmekaNgene Thank you! This is the exact information I needed, appreciated!
"If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire."
So this is indeed by design but it makes no sense to me, why make this the default behaviour? I see no rationale being given. It's almost like having a car with no engine, like what is the point? I'm upset with myself for assuming the contrary but happy to now be in the know, thanks again.
I did see the Note reading "The Set-MsolPasswordPolicy PowerShell command will not work on federated domains." so that will be my next hurdle to jump over before attempting to change this horrid default setting.
