Azure AD Accounts – Password Expiry

Sometimes and only sometimes, it’s a good plan to ensure some accounts don’t expire in Azure AD. In many cases you will be using Azure AD Connect to sync accounts and these aren’t the accounts I am referring to as they are managed and should remain managed on premise unless you decided to go full cloud and remove your hybrid servers.

The accounts that should be considered are those that you are going to manage that need to be run 24/7 like the account that is being used for Azure AD Connect. Think of it the same way you would think of service accounts in Active Directory. You don’t want the account your using for SQL to have its password expire and the service stop running. Azure AD Connect requires two accounts. One that has admin permissions on premise to be able to read Active Directory, and a Global Admin account in Azure AD. If the account in Azure AD Expires, you may run into some issues when trying to sync. In my case Passwords started refusing to sync over, but only passwords and when I tried to reconfigure Azure AD Connect I got this error.

You will spend a lot of time if you search through Azure AD in Office 365 and the Manage Portal for a check box that says “allow password expiry”. Here’s a general rule about Microsoft’s new paradigm “Settings can always be changed via PowerShell, but not always via the GUI’s” and this is an instance where that holds true.

It’s fairly simple to perform this task and it will help you manage these accounts that apps require to run.

Setting Azure AD accounts and set password expiry to false

Step 1: Log on to Azure AD

Step 2: Set-MsolUser -UserPrincipalName <serviceaccount@contoso.com> -PasswordNeverExpires $true

That’s it!

 

Some things are so easy to do, but so easily missed when planning things out. This is one of those things that may cause you some pain along the way.

Leave a comment

Your email address will not be published.


*