In a standard hybrid identity layout, your local Active Directory acts as the primary authority.
A: Your organization has enabled “Cloud Password Policy for Password Synced Users.” Even though your password works on-premises, it might be on Microsoft’s global banned password list or too common. You’ll need to choose a stronger password that satisfies both policies. cloudpasswordpolicyforpasswordsyncedusersenabled
By default, a strange spell hung over the cloud city. Whenever a villager’s password traveled from the old world to the cloud via , the city guards would stamp it with a mark: DisablePasswordExpiration . This meant that while the village elders back home forced everyone to change their passwords every 90 days, the cloud city never asked for a new one. A villager could have a password decades old in the cloud, even if it had expired a dozen times back in the village. In a standard hybrid identity layout, your local
# If the setting exists, update it if ($Setting) Update-MgDirectorySetting -DirectorySettingId $Setting.Id -Values @(@Name="CloudPasswordPolicyForPasswordSyncedUsersEnabled"; Value="True") By default, a strange spell hung over the cloud city
To see if this is currently enabled for your tenant, connect to Microsoft Graph and query the directory settings:
When enabled, this setting enforces Microsoft Entra ID password policies (e.g., banned password lists, password expiration, complexity) on users who have their passwords synced from on-premises Active Directory via Entra Connect. Normally, synced users follow on-prem AD policies; enabling this adds a cloud policy layer without changing the on-prem password.