Link to home
Start Free TrialLog in
Avatar of Jerry Seinfield
Jerry SeinfieldFlag for United States of America

asked on

AD- MS365 password policy preference

Hello Experts,


My customer runs a hybrid organization with Azure and MS365 (Azure AD connect to sync password hash) to the cloud, some DCs on prem, multiple sites, all email and data files are in MS 365. workstations and users continue to be managed by DCs and ADDS.


This is the question:

Can I enforce a 14 characters password policy on our team via Group policy? Since our users are using SSPR, MS controls settings for password and there is character limit of 8?


Is there a way to enforce password policy from local AD to the cloud and bypass SSPR and any cloud password policies preferences?


If not, please elaborate, otherwise, provide high level steps to perform this without moving all endpoints and resources to the cloud and be managed by Azure AD Intune and conditional access policies.



Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Seems to me like you are syncing passwords from AD to Azure AD. In that case, you enforce password standards the same way we have since Windows 2000. Set group policy on the domain controllers to modify the domain password policy.
https://blog.netwrix.com/2021/07/14/active-directory-password-policy/
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
Since our users are using SSPR, MS controls settings for password and there is character limit of 8?
I can't find a reference to a maximum password size of 8, where did you see that?

what I see is the minimum is 8
  • Password restrictions      
  • A minimum of 8 characters and a maximum of 256 characters.
  • Requires three out of four of the following:
  • Lowercase characters.
  • Uppercase characters.
  • Numbers (0-9).
  • Symbols (see the previous password restrictions)
.

The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.
Avatar of Jerry Seinfield
Jerry Seinfield
Flag of United States of America image

ASKER

Any other thoughts?


Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Follow the instructions on how to change the domain password policy. Note that the requirments only apply when a password is changed. Existing passwords will still be valid.

I have no further thoughts unless you hqve problems making the change already recommended.
Avatar of Jerry Seinfield
Jerry Seinfield
Flag of United States of America image

ASKER

in a hybrid environment, which password policy wins? the one controlled by ADDS  or the Azure/ms365 password?

Please, elaborate
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Unless you are doing write back from Azure AD to ADDS, all password changes originate from ADDS, and the ADDS password policy is the only one used.
Avatar of Jerry Seinfield
Jerry Seinfield
Flag of United States of America image

ASKER

correct, but the whole purpose of enabling SSPR which by default requires password writeback is to allow end users to reset their password from a web portal and avoid multiple calls to IT.

The part that confuses me is the one from David


"The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. "

Can we just safely assume that if SSPR is enabled password write back is automatically enforced? if this assumption is correct, is it safe to assume that the Azure AD cloud password policy takes precedence or wins over the local ADDS password policy in a hybrid org?


ASKER CERTIFIED SOLUTION
Avatar of Daryl Ponting
Daryl Ponting
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial