asked on
AD- MS365 password policy preference
Hello Experts,
My customer runs a hybrid organization with Azure and MS365 (Azure AD connect to sync password hash) to the cloud, some DCs on prem, multiple sites, all email and data files are in MS 365. workstations and users continue to be managed by DCs and ADDS.
This is the question:
Can I enforce a 14 characters password policy on our team via Group policy? Since our users are using SSPR, MS controls settings for password and there is character limit of 8?
Is there a way to enforce password policy from local AD to the cloud and bypass SSPR and any cloud password policies preferences?
If not, please elaborate, otherwise, provide high level steps to perform this without moving all endpoints and resources to the cloud and be managed by Azure AD Intune and conditional access policies.
I can't find a reference to a maximum password size of 8, where did you see that?
what I see is the minimum is 8
- Password restrictions
- A minimum of 8 characters and a maximum of 256 characters.
- Requires three out of four of the following:
- Lowercase characters.
- Uppercase characters.
- Numbers (0-9).
- Symbols (see the previous password restrictions)
The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicy
ASKER
I have no further thoughts unless you hqve problems making the change already recommended.
ASKER
Please, elaborate
ASKER
The part that confuses me is the one from David
"The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. "
Can we just safely assume that if SSPR is enabled password write back is automatically enforced? if this assumption is correct, is it safe to assume that the Azure AD cloud password policy takes precedence or wins over the local ADDS password policy in a hybrid org?
https://blog.netwrix.com/2021/07/14/active-directory-password-policy/