In an on premises world, with Agile Directory, countersign expiry is easy. Set the required policy for your domain, brand certain it'southward applied and forget about information technology, AD volition accept care of enforcing password changes and compliance with your password rules. Moving your identity to Azure complicates things, and that's what nosotros are going to talk nigh today, and in particular password expiry and related processes in the world of Azure Advertising Connect.

Azure AD countersign policies vary depending on how  you lot take things setup. If your lucky plenty to be using deject but identity (no synchronization at all), and then this isn't a headache you really need to bargain with. Azure AD in cloud just mode has a set up of countersign policies it follows, which includes password expiry by default of 90 days.

Where things get complicated, is when yous enable Azure Advertizing Connect to synchronize your on premises users with Azure AD and y'all enable countersign hash sync to allow hallmark in the deject. With user and password has sync enabled, users are able to employ their Azure AD identity to connect to your services, and third part services such equally Office 365. In this scenario all your hallmark happens in Azure Advert. When y'all enable AD sync, your countersign complication rules from on bounds are used in place of any set in the cloud, yet your expiration policies are not. When countersign sync is enabled, the hash of the countersign in the cloud is gear up to never expire.

It doesn't take much thought to see the business hither, in this scenario users who's password has expired, or perchance more worryingly, who's account has expired, will still be able to login to services using their AAD account. Services like Role 365, Salesforce, Dropbox etc. All of these can comprise sensitive information that you probably don't want expired users accessing. This limitation is documented, merely information technology doesn't jump out at you. I think virtually reasonable people would assume that if you are syncing an expired password, then the user would not be allowed to logon.

Note that what nosotros are talking about here is expired passwords and accounts, non disabled accounts. Disabling an account on bounds will be synced up to Azure Advertisement and access prevented, however this tin can take up to 3 hours.

Solutions

If y'all don't make use of your synchronized Azure Advert identity for accessing applications and then this may not be a business, but for those that do, let's expect at what we can practise to resolve this problem.

Change Cloud Password

One option would be to run a script on a regular ground to bank check your on premises Advertising for expired accounts and when found modify the password in the cloud account. This would result in the user needing to reset their password earlier being able to login (as they don't know this password) and this then being synced to AAD. Whilst existence a fairly elementary solution, it's not particularly fool proof. You would need to run the script on a very regular basis to ensure y'all catch all expired accounts early, and it is going to prone to issues and reliability concerns. If you need something simple and quick it could work, but I wouldn't recommend it.

AD Federation Services

Instead of using password hashes withAAD Connect you could instead implement Azure ADFS. With ADFS all login requests are authenticated against your on premises resources, and then all attributes of your on bounds business relationship are honored, including password and account expiry. This is a robust, fourth dimension tested solution to this upshot. The problem is that ADFS is complicated to deploy and involves a number of extra resources and pregnant knowledge to set information technology upwards. If you are already using federation for other things (such equally integration with other companies) and so using this with Azure Advertisement makes perfect sense. Nonetheless, if you have never used ADFS it can be pretty daunting and costly to setup and manage, peculiarly for small organisations.

Fortunately there is a middle ground (at present) between the two options in a higher place. Azure Ad Laissez passer Through Hallmark is a new service currently in preview which allows you to still sync your users to Azure Advert with AAD Connect, but to not sync their passwords to Azure AD. Instead when a user authenticates they are passed through to on bounds Advert using a customer application, to authenticate directly confronting your on premises infrastructure. The primary use for this service is for companies that cannot or will not store their user passwords in the deject, fifty-fifty in hashed form, only one of the other benefits is that as with ADFS all of your account policies including decease will be honoured. With this service you get the same benefits of ADFS in terms of business relationship expiry, but without having to install all of the infrastructure. In fact in that location are really just 2 additional things to exercise when using this every bit opposed password sync:

  1. Choose Pass Through Auth rather than countersign sync in the AD Connect setup
  2. Install a 2nd Laissez passer Through Auth customer on another on premises machine for high availability.

Once you do this, your authentication requests are passed through and if a users password has expires they will exist prevent from logging on. If you lot have enabled countersign write back in Advertising Sync and then they will be able to reset their password at the cloud app. If you lot don't let it and then the user needs to logon to an on premises resources to change information technology. Because the authentication process is withal going through Azure AD you however retain all the benefits of this similar MFA, Self Service Reset, Identity Protection etc.

A further benefit for using Laissez passer Through Auth is that setting the "user must change password at adjacent logon" also now works. With hash syncing setting this would crusade the user to not be able to logon, simply now this setting works as expected as well.

Summary

Countersign expiry seems similar a elementary problem that was solved many years ago, and I doubtable many people accept moved to using Azure AD Connect Password Syncing and just causeless that their death policy carries over to this. They will be surprised to learn that users they thought had lost access to cloud resource through an expired countersign or business relationship can actually still gain access to things. Up until recently this was actually a fairly difficult issue to solve, fortunately pass through auth is now available and makes it fairly simple to keep your passwords on premises and obey your expiry rules without needing to larn and implement ADFS.

They primal matter here is to understand clearly what policies do and not use to your cloud identities and make an informed conclusion about what concerns you and requires a change to be made.

Farther Reading

Integrate your on-premises directories with Azure Agile Directory

Deploying Active Directory Federation Services in Azure

User sign-in with Azure Active Directory Pass-through Hallmark