Password policies in a hybrid AD / Azure AD environment: policy enforcement and expiration
Valentin Komarovskiy, MBA
Solving complex business problems and alleviating technical pain points to improve efficiency and reduce risks.
Passwords are still the primary authorization key to Windows domain resources, even with MFA. It is important to know when Active Directory user passwords expire and which password policy applies to your users’ account. Password expiration policies are typically implemented for security reasons to ensure that users regularly update their passwords and maintain the security of their accounts. By enforcing password expiration, organizations can reduce the risk of unauthorized access and data breaches.? Passwords that persist longer have a higher vulnerability and are more likely to be leaked, cracked or breached. Password maximum age and complexity should be enforced by policy and it is by default on a Windows domain / Azure AD tenant. Therefore you should know which policy provides that enforcement action and that it applies properly.
Understanding password expiration dates and last password set date in Active Directory is crucial for both users and administrators to maintain the security and integrity of user accounts and the overall network.
Why is it important:
·???????? To determine if the maximum password age value in an applied Group Policy, PSO or Azure Password Policy is actually working. This is known as “spot checking” ?
·???????? To track if a user password has never been changed, or appears as never expires. In this case admins should check if this behavior is sanctioned. ?
·???????? To determine if a user is not able to log in due to an expired password
·???????? To determine where the password expiration date is set based on the user account authoritative directory
·???????? To understand which password policy affects specific account, this can be confusing especially in a hybrid environment as password policies could be coming from multiple authorities: on-prem GPO, on-prem PSO, Azure AD default policy, Azure AD custom policy
Knowing when passwords expire allows users to proactively change their passwords before they expire, ensuring uninterrupted access to their accounts. It also promotes good security practices by encouraging users to choose strong, unique passwords. Although password expiration policies are not automatically synchronized between Active Directory on-premises and Azure AD, there are methods available to enable synchronization of password changes and provide a seamless experience for users across both environments.
For administrators, knowing when passwords expire enables them to enforce password policies, track user compliance, and maintain the overall security of the Active Directory environment. They can generate reports, send password expiration notifications, and take appropriate actions for any users whose passwords are approaching or have expired.
By default, the password expiration policies in Active Directory on-premises and Azure Active Directory (Azure AD) are not synchronized. Each directory operates independently, and password policies are managed separately.
In an on-premises Active Directory environment, password age and complexity policies are typically enforced through Group Policy settings or a PSO – Password Security Object. Users are prompted to change their passwords based on the defined expiration period when logging on with an expired password.
On-premise Active Directory Password Policies
In a default installation of Active Directory on a Windows domain, the default password complexity and age settings are typically defined in the "Default Domain Policy" Group Policy Object (GPO). These settings help enhance security by enforcing strong password policies for user accounts within the domain. The default password complexity and age settings in the Default Domain Policy out-of-the box are as follows:
What enforces password policies in an on-prem Active Directory domain:
Default Domain Policy - it is linked to the root of the domain when the domain is created and contains default values. Unless you are blocking inheritance on an OU holding user accounts, or have another GPO with password setting, the Default Domain Policy will enforce passwords.
PSO (Password Security Object) - a policy object configured on a Domain Controller that can enforce a more complex password policy scoped to a specific Active Directory group.
Effective on-prem password policy can be changed in the Default Domain Policy GPO, in a different GPO scoped to specific users or a PSO (Password Security Object.) More on PSOs in my previous article: https://www.dhirubhai.net/pulse/ad-pso-more-complex-passwords-privileged-accounts-komarovskiy-mba
In Azure AD, password expiration policies can be configured using Azure AD Password Protection, which allows you to define custom password policies for your organization. However, Azure AD does not directly sync password expiration settings from on-premises Active Directory.
It's worth noting that Azure AD has its own set of password policies, such as requiring multi-factor authentication, banning commonly used passwords, and detecting leaked passwords. These policies focus on enhancing security in the cloud environment.
To synchronize password changes between on-premises Active Directory and Azure AD, organizations can implement password hash synchronization or federated identity solutions like Active Directory Federation Services (ADFS). These solutions enable users to have a single set of credentials for both on-premises and cloud resources, ensuring password changes are synchronized between the two environments.
Azure AD Sync impact on password expiration and sync
Azure AD Sync has a number of commands available in the MSOnline module
Uou can learn about the MSONLINE ?module here:
To connect PowerShell to MSOL service
Connect to MSOL service and enter your credentials
Connect-MSolService
If you get an error like the one below you could be missing the MSOL module
You need to install the module as per instructions here
?Get-MsolDirSyncFeatures
Please note, PasswordWriteBack reporting as false is deceiving because writeback is configured in the AzureAd sync configuration.
It is possible to Enforce Azure AD password policy on the accounts synced from on-prem AD. However, if there is a GPO or a PSO on the on-prem AD that affects those accounts it will overwrite the Azure AD policy every time a sync occurs. To check the Azure AD policy status run the following in MSOL
Get-MsolDirSyncFeatures -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
Set-MsolDirSyncFeatures -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true
?
The following PowerShell command will show password expiration date for on-prem users
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "SamAccountName" |
The following PowerShell command will export password expiration date for on-prem users into a text file.
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} >C:\temp\pass_expiration_8_31_22_v2.txt
This version will write out the SAMAccountName into a CSV file that can then be opened in Excel
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "SamAccountName" | Select-Object -Property "SamAccountName",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | Export-CSV C:\Temp\pass_exp_8_31_v4.csv
The following PowerShell command will show expiration date for a specific account derived from their username
get-aduser -Identity 000085642 -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
We can also get the password last set timestamp for each user and export to a CSV file
Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft SamAccountName, passwordlastset, Passwordneverexpires >C:\Temp\pass_exp_8_31_v8.csv
How to get password expiration date from AzureAD
?In Azure AD we can determine the last password last set time for each user run this PowerShell command. If the user is synced from on-prem AD, the password last set time attribute would also sync from on-prem AD.
Get-MsolUser -All | Select DisplayName,UserPrincipalName,LastPasswordChangeTimeStamp | Export-CSV C:\Temp\users_last_pass_set.csv
You can then browse to the CSV file and open it with Microsoft Excel
?
To determine which users have password never expires set on their account and have not changed their password in the past 92 days
Get-MsolUser -All | Where-Object {$_.PasswordNeverExpires -eq $true -and $_.LastPasswordChangeTimestamp -lt (Get-Date).AddDays(-92)} | Select-Object DisplayName,UserPrincipalName,LastPasswordChangeTimestamp,Licenses,PasswordNeverExpires | fl
?
To determine which users do not have password never expires set on their account and have not changed their password in the past 92 days
Get-MsolUser -All | Where-Object {$_.PasswordNeverExpires -eq $false -and $_.LastPasswordChangeTimestamp -lt (Get-Date).AddDays(-92)} | Select-Object DisplayName,UserPrincipalName,LastPasswordChangeTimestamp,Licenses,PasswordNeverExpires | fl
Password policies and complexity in Azure AD
By default, when there are ten unsuccessful login attempts with an incorrect password, an account becomes locked out for a duration of one minute. If additional incorrect sign-in attempts occur, the lockout period progressively increases. To prevent unnecessary lockouts, the smart lockout feature monitors the last three instances of incorrect password entry, avoiding the escalation of lockout periods for repeated use of the same password. You have the flexibility to customize the threshold and duration settings for smart lockout.
Property
Requirements
Characters allowed
A – Z a - z 0 – 9 @ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < > Blank space
Characters not allowed: Unicode characters
Password restrictions: A minimum of 8 characters and a maximum of 256 characters. Requires three out of four of the following types of characters: - Lowercase characters - Uppercase characters - Numbers (0-9) - Symbols (see the previous password restrictions)
Password expiry duration (Maximum password age): Default value:?90?days. If the tenant was created after 2021, it has no ?default expiration value. You can check current policy with?Get-MsolPasswordPolicy . The value is configurable by using the?Set-MsolPasswordPolicy?cmdlet from the Azure Active Directory Module for Windows PowerShell.
Password expiry (Let passwords never expire): Default value:?false?(indicates that passwords have an expiration date). The value can be configured for individual user accounts by using the?Set-MsolUser?cmdlet.
Password change history: The last password?can't?be used again when the user changes a password.
Password reset history: The last password?can?be used again when the user resets a forgotten password.
?
It's important to note that the Azure AD password policy doesn't affect user accounts that are synchronized from an on-premises Active Directory Domain Services (AD DS) environment using Azure AD Connect, unless you enable the option called "EnforceCloudPasswordPolicyForPasswordSyncedUsers." and in the meantime any Domain GPO or PSO is block or not scoped to the user.
To enumerate password policies using MSOL PowerShell run the following:
PS C:\WINDOWS\system32> get-msolpasswordpolicy -DomainName: westernmotors.net
ExtensionData????????????????????????????????? ??????????????????????????NotificationDays ??????ValidityPeriod
-------------?? ?????????????????????????????????---------------- --------------
System.Runtime.Serialization.ExtensionDataObject?????????????? 14??????????? 180
Password expiration and expiring password notification interval are two values that can be set in Azure AD password policy in a single tenant. B2B, B2C and multi-tenant subscriptions have other capabilities.
The following MSOL command will enumerate accounts where the password is set to never expire:?
Get-AzureADUser -ObjectId [email protected] | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
The following Azure AD PowerShell will produce a CSV file with accounts whose password is set to never expire
Connect-AzureAD
Get-AzureADUser | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | Export-CSV C:\Temp\password_Set_to_never_expire.csv
?If the switch is no, but the GPO or PSO from on-prem still applies, the sync will rewrite password values and requirements if the password is change on-prem. Therefore it is important to have a password complexity and expiration strategy in hybrid environments and understand it thoroughly.
Updated 11/30/2023 - I found another interesting PowerShell trick you can run
Connect-MsolService
the run
Get-MsolUser -MaxResults 99000 |Select UserPrincipalName,LastPasswordChangeTimestamp,DisplayName,PasswordNeverExpires,IsLicensed,Licenses,LiveID,WhenCreated,StrongAuthenticationMethods,StrongPasswordRequired,UserType | Export-CSV "C:\Temp2\PasswordExp2.CSV"
This will create a CSV file that you can open with Excel, then manipulate the date to find what you need.
If you need help tracing you password policy and determining if enforcement is effective and creating a password policy strategy for a hybrid environment, I am here to help.