Alan Duck
asked on
creating a user password policy for a Azure AD, Local AD synced system
we has successfully create a synced Azure AD and Local AD
and have a Singe password working but to do this the password policy for the local AD for pass word maximum age was set to 0
what we want to do is set the password policy to force passwords to be changed no later than 180 days
and have a Singe password working but to do this the password policy for the local AD for pass word maximum age was set to 0
what we want to do is set the password policy to force passwords to be changed no later than 180 days
Local AD is the one that sets the password policies AzureAD only uses this information
0 days is never expire
You should not have modified the default domain policy which sets the Max Password Age to 42 days and used Fine Grained Password Policy
0 days is never expire
You should not have modified the default domain policy which sets the Max Password Age to 42 days and used Fine Grained Password Policy
ASKER
I was looking at using the fine grained password policy
the reason the Max Password Age in the computer policy on the domain server was set to 0 the Microsoft technicians said it need to to be set to 0 or the Azure user password reset wouldn't work with out throwing up a error, which is what we had issues with at first, but that's working and we want all users to be able to change their password using
To use SSPR - https://aka.ms/sspr
the reason the Max Password Age in the computer policy on the domain server was set to 0 the Microsoft technicians said it need to to be set to 0 or the Azure user password reset wouldn't work with out throwing up a error, which is what we had issues with at first, but that's working and we want all users to be able to change their password using
To use SSPR - https://aka.ms/sspr
that is not a requirerment of SSPR - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
Did they give a reason ? Unfortunately MS support has got to the point where its almost completely untrustworthy.... the answers you get are basic at best and their only goal is to mark the call as closed - not actually help.
Did they give a reason ? Unfortunately MS support has got to the point where its almost completely untrustworthy.... the answers you get are basic at best and their only goal is to mark the call as closed - not actually help.
ASKER
their reason was it was a requirement to make it work and I did read a document at the time which too said this setting need to be 0 to make it work.
has it was I think our main problem we where testing on accounts that where set has administrator's on the Local AD
now this issue is resolved I can test these setting by returning them to the previous numbers.
has it was I think our main problem we where testing on accounts that where set has administrator's on the Local AD
now this issue is resolved I can test these setting by returning them to the previous numbers.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
these guys where really helpfull
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-password-age