Identity Nugget – Bringing On-Prem AD Password Expiry and Force Reset to Entra ID Synced Accounts – EMS Route

This is 2025 and going Passwordless or using long-lived (365 days) passwords is the recommendation. However, this has been a question for most customers wherever I go. But if you ask, everyone is using their own way to work around this. One popular method is notifying users of the password expiry like a set of countdown emails. But this is paving the pathway for a bad actor to compromise user accounts. Phishing emails of the same intent are very popular and it will be one of the moments when “it only takes one user to click on a link” can be actually true.

1. Context
2. The Common Problem
3. Reason
4. A Practical Use Case
5. The Fix
6. Behind The Scene
7. Results
8. What didn’t work for me and Wrapping Up

Context

The majority of the organizations are still using passwords to login to the Windows workstation. Most of the organizations that has a considerable amount of an on-premises footprint has a Hybrid setup where the user objects are syncing from the on-prem local AD domain to Entra ID. Password Hash Synchronization has the most popularity over other methods. On-Prem AD has its password expiry policies or setting the password to expire when the user 1st log in to the computer.

The Common Problem

The local AD password expires. If the user is on M365, they can still log in to M365 and Entra services using the same password that has expired in the local AD now. If the user frequently logs in to the workstation, the password can be reset and synced back to Entra. Problem sorted.

Reason

If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

A Practical Use Case

• There can be frontline users whose user objects have been set up in the same way and the local AD is the source-of-truth and works from other devices. In a situation where they hardly login to a Windows workstation. The password expiry is not really affecting them as there is no real notification.

• Or a new user, account has been set to “User must change password at next logon” but that will not really affect Entra ID as it’s not aware of the pwdLastSet AD attribute.

The Fix

Entra ID SSPR to be enabled – This will allow the user to change the password from Entra.

Password Writeback in Entra Connect to be enabled.

By default, Entra Password expiry is happening every 90 days. Aligning the on-prem password expiry with that is required. Or set the Entra password expiry to be the same as the on-prem AD policy.

🔗More about the password policy can be found here – https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#microsoft-entra-password-policies

For the Expired Password event to be reflected in Entra run the below command

$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true
Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $OnPremSync.Id -Features $OnPremSync.Features

If you are planning on enabling “User must reset password in the next login” option in the AD account, which turns pwdLastset = 0, run the below command.

$OnPremSync = Get-MgDirectoryOnPremiseSynchronization
$OnPremSync.Features.UserForcePasswordChangeOnLogonEnabled = $true
Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $OnPremSync.Id -Features $OnPremSync.Features

Before running the above commands, make sure you have the appropriate access to Microsoft Graph by running the below command.

Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"

As you can see below, the features are now set to true

Behind The Scene

As mentioned previously, the user account’s password policy has been set to Never Expire or with the value DisablePasswordExpiration. You can check this by querying the user account.

(Get-MgUser -UserId -Property PasswordPolicies).PasswordPolicies

From Microsoft Text 👇🏻

Once enabled, Microsoft Entra ID doesn’t go to each synchronized user to remove the DisablePasswordExpiration value from the  PasswordPolicies  attribute. Instead, the DisablePasswordExpiration value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.

Results

What didn’t work for me and Wrapping Up

Fully Entra Joined PC with a synced account. Even though I’ve set up to change the password in the next login, it did not reflect on the Windows Screen. Microsoft is saying this should work on ” Microsoft Entra integrated services”.

Passwordless or long-lived (365 days) passwords are the way to go. However, if your environment is not ready for either, you can adopt this method to make sure the Entra synced password is getting expired orthe temp passwords issued in local AD is reflecting appropricately.