Deep Dive: CloudPasswordPolicyForPasswordSyncedUsersEnabled Overview In a standard Microsoft Entra ID (Azure AD) environment, the password policies applied to cloud-only users (complexity, length, expiration) are enforced by the cloud identity provider. However, for organizations utilizing Microsoft Entra Connect (Azure AD Connect) to synchronize users from on-premises Active Directory to the cloud, the default behavior has historically been different. The setting CloudPasswordPolicyForPasswordSyncedUsersEnabled is a directory-level configuration that enforces Microsoft Entra ID password policies on synchronized users, overriding the legacy default behavior where cloud policies were ignored for these accounts. The "Default" Behavior (Legacy) By default, when a user is synchronized from on-premises AD to Entra ID, Microsoft assumes that the authoritative password policy resides in the on-premises environment. In this legacy state:
Entra ID Password Policies are ignored: Settings configured in the Microsoft 365 Admin Center or via PowerShell (such as "Passwords never expire" or specific complexity requirements) do not apply to synced users. On-Premises Rules Apply: The user must adhere to the password length, complexity, and history requirements defined in the on-premises Group Policy Objects (GPOs). Password Expiration Issues: While Entra ID might say the password "never expires," the on-premises Active Directory might still enforce a 90-day expiration. This often creates confusion where a user's account works on-premises (VPN/Domain login) but fails for cloud services (Teams/Outlook) because the on-premises password expired but the cloud status appeared valid.
The "CloudPasswordPolicyForPasswordSyncedUsersEnabled" Solution When this feature is enabled (set to True ), it changes the enforcement logic for synchronized users. What Changes? When enabled, Microsoft Entra ID applies its own tenant-level password policy to the synchronized user objects. This means:
Cloud Policy Enforcement: The password policy defined in Entra ID (e.g., banning specific weak passwords, custom banned password lists, and expiration settings) is applied to synced users. Combined Security: Users benefit from both on-premises security (applied when they change their password on-prem) and cloud security (Entra ID Smart Lockout, banned password lists). cloudpasswordpolicyforpasswordsyncedusersenabled
The Critical Use Case: "Password Never Expires" The most common reason administrators enable this feature is to enforce the "Passwords never expire" setting in the cloud for synchronized users. Without this feature enabled, even if an administrator checks the box "Passwords never expire" in the Microsoft 365 Admin Center for a synced user, the setting is ignored. The on-premises expiration policy rules the account. With this feature enabled:
An Admin sets the Entra ID policy to "Passwords never expire." This setting is honored for synced users. The on-premises expiration is effectively bypassed for cloud logins (though the on-premises account will still technically expire locally, Entra ID will continue to accept the password for cloud services indefinitely).
Technical Implementation This setting cannot be toggled via the standard Admin Center GUI. It must be configured using the Microsoft Graph PowerShell SDK . How to Check the Status To see if this is currently enabled for your tenant, connect to Microsoft Graph and query the directory settings: # Connect to Microsoft Graph with the required permissions Connect-MgGraph -Scopes "Policy.Read.All" The "Default" Behavior (Legacy) By default, when a
# Get the specific directory setting $Setting = Get-MgDirectorySetting | Where-Object { $_.DisplayName -eq "Password Rule Settings" }
# Check the value $Setting.Values | Where-Object { $_.Name -eq "CloudPasswordPolicyForPasswordSyncedUsersEnabled" }
How to Enable It If the setting returns False or is not present, you can enable it using PowerShell: Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration" Password Expiration Issues: While Entra ID might say
# Retrieve the policy object $Setting = Get-MgDirectorySetting | Where-Object { $_.DisplayName -eq "Password Rule Settings" }
# If the setting exists, update it if ($Setting) { Update-MgDirectorySetting -DirectorySettingId $Setting.Id -Values @(@{Name="CloudPasswordPolicyForPasswordSyncedUsersEnabled"; Value="True"}) } # If the setting object does not exist (rare in modern tenants), a new one must be created using a template else { $Template = Get-MgDirectorySettingTemplate | Where-Object { $_.DisplayName -eq "Password Rule Settings" } $NewSetting = @{ TemplateId = $Template.Id Values = @( @{Name="CloudPasswordPolicyForPasswordSyncedUsersEnabled"; Value="True"} ) } New-MgDirectorySetting -BodyParameter $NewSetting }
