Do You Need Office 365 Help?
Most Office 365 customers don't realize they're entitled to better quality support than Microsoft provides. If you're purchasing licenses from Microsoft or elsewhere, you can easily make us your Cloud Solution Provider and you'll be automatically enrolled in Support Plus.
It's easy to switch today. The transition is invisible to end-users. Plus, there's no increase in the cost for licenses, you may even save some money.
Check our our Cloud Services page to learn more, Contact Us to get started, or use the chat icon in the corner to start a conversation. We're happy to answer any questions you may have.
This concludes our commercial interlude. Please enjoy this article with our compliments!
4/15/2018
This article contains advice given to a government contractor who is required to follow NIST and ITAR security guidelines. The question from the customer was about how password expiration is enforced in Office 365.
The way password expiration is handled will vary depending on whether the account is synced to Active Directory using AD Connect.
Cloud-only accounts, those which are not synced to Active Directory, will follow normal rules for password expiration as set by the Office 365 administrator, either globally or on a per-user basis.
When a synced password in Active Directory expires, the password in cloud does not expire along with it. Users can continue to check their e-mail until such time that AD eventually gets around to updating their (new) password. Likewise, they'll be able to sign into SharePoint and other Office 365 services too. This may not be such a big deal for users who come into the office every day, as their password is unlikely to be in the expired state for longer than maybe an extended weekend before their Windows account will require them to update it.
This applies only when password hash synchronization is the method used. When AD Connect is configured with pass-through authentication instead, Office 365 will query Active Directory directly via an agent that runs on the same server as AD Connect. When federated authentication is used, ADFS takes over all aspects of authentication including the login and the password. Thus, in both cases when the AD password has expired, the user will be unable to login to Office 365 services until they update their password in AD.
Note that Pass-through authentication can cause systems to become unavailable when the network connection at the main office goes down – through all Microsoft docs insist it is supposed to fall back on other methods. Our testing and experiences indicate that it does not. This is unfortunate, because the lack of fault tolerance is one of the biggest drawbacks when using federated domains. We're really hopeful that this flaw in Seamless SSO and pass-through authentication will be addressed. Even so, it is still usually a better alternative for most organizations that requires less infrastructure than ADFS.
If you must enforce immediate password expiration for users, Pass-through authentication is advisable. For users primarily in the cloud, such as remote workers or road-warriors, leaving those users unsynced (cloud only) can produce better security and manageability.
It may be possible to enforce expired passwords in Office 365 by configuring AD Connect to synchronize certain Active Directory attributes related to password expiration status. Other schemes that might work would include running a PowerShell script as a scheduled task that will test user's expiry status and disable their Office 365 account if they've expired. These approaches are complex and will not be covered in detail here.
Note that these strategies can be mixed and matched within a single tenant, so you can apply a combination of cloud-only, password synced, and federated domains. The only ones that can't be mixed are pass-through and password-hash-sync. For these, you must pick one or the other for all synced users in your tenant.
The following table demonstrates the different authentication schemes and their respective characteristics.
| Authentication Method | Fault Tolerance | Password Expiration Behavior | Authenticating System | Configurable Scope |
|---|---|---|---|---|
| Cloud Only | No issues | Expired users may not log in | Azure AD | Individual users |
| AD Connect + Password Hash Synchronization | Fault tolerant | Expired users may login to Office 365 | Azure AD | All synced users by OU or AD Group; can't be combined with pass-through |
| AD Connect + Pass-through Authentication | May fail due to local network outages; multiple agents and locations recommended | Expired users may not log in | local AD | All synced users by OU or AD Group; can't be combined with password hash sync |
| ADFS / Federated Domain | May fail due to local network outages; requires multiple servers; authentication leaves Microsoft supported scope | Expired users may not log in | local AD | Single DNS domain / UPN Suffix |
Schedule a Consultation
Learn More About Our Security Offerings
From: Azure AD self-service password reset rapid deployment
Password expiration policy
If a user is in the scope of password hash synchronization, the cloud account password is set to Never Expire. You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment.
