| Feature | Status: Disabled (Default) | Status: Enabled | | :--- | :--- | :--- | | | On-Premises AD Only | Entra ID Policy (for cloud interactions) | | "Never Expire" Setting | Ignored for synced users | Enforced for synced users | | Smart Lockout | Active (prevents brute force) | Active | | Password Complexity | On-Prem Rules only | Cloud Rules applied on top |
However, if the user leaves the organization or fails to update their on-premises password, the on-premises expiration status does not block cloud access. cloudpasswordpolicyforpasswordsyncedusersenabled
# Check the value $Setting.Values | Where-Object $_.Name -eq "CloudPasswordPolicyForPasswordSyncedUsersEnabled" | Feature | Status: Disabled (Default) | Status:
When a user changes their password on-premises, a hash is instantly synchronized to the cloud. cloudpasswordpolicyforpasswordsyncedusersenabled
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" Get-MgPolicyAuthenticationMethodPolicy | Select-Object -ExpandProperty AdditionalProperties
If the setting returns False or is not present, you can enable it using PowerShell:
The cloud identity remains active forever unless an explicitly triggered delta sync updates or disables the user account.