In the land of Microsoft Entra , there was a quiet village of Hybrid Users . For years, these villagers lived in two worlds: their ancestral home, the On-Premises Active Directory , and the shining city in the clouds, Azure . By default, a strange spell hung over the cloud city. Whenever a villager’s password traveled from the old world to the cloud via Password Hash Synchronization , the city guards would stamp it with a mark: DisablePasswordExpiration . This meant that while the village elders back home forced everyone to change their passwords every 90 days, the cloud city never asked for a new one. A villager could have a password decades old in the cloud, even if it had expired a dozen times back in the village. The Security Guardians grew worried. "The clouds are not safe if the old ways aren't respected!" they cried. They reached for the legendary Graph PowerShell scroll and invoked the ancient command: CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true . Suddenly, the air shifted. The DisablePasswordExpiration stamps began to fade. Now, the cloud city would finally listen to its own rules. If the cloud policy said a password was too old, it would challenge the user, even if the sync from the village hadn't reached them yet.
The tenant feature CloudPasswordPolicyForPasswordSyncedUsersEnabled controls whether Microsoft Entra ID enforces native cloud password policies for hybrid users. By default, when you configure Password Hash Synchronization (PHS), Microsoft Entra Connect sets the PasswordPolicies attribute of synced users to DisablePasswordExpiration . This means that if an employee's password expires in the local Active Directory (AD), they can still authenticate into cloud resources indefinitely using their old credentials. Enrolling in this feature mitigates this massive security gap. Why the Default Behavior is a Security Risk In a standard hybrid identity layout, your local Active Directory acts as the primary authority. When a user changes their password on-premises, a hash is instantly synchronized to the cloud. However, if the user leaves the organization or fails to update their on-premises password, the on-premises expiration status does not block cloud access. The cloud identity remains active forever unless an explicitly triggered delta sync updates or disables the user account. Enabling CloudPasswordPolicyForPasswordSyncedUsersEnabled forces Microsoft Entra ID to evaluate its local validation window alongside incoming PHS updates. How the Cloud Password Policy Feature Functions Once activated via Microsoft Graph PowerShell, the mechanism changes user provisioning behavior:
It looks like you’re referencing an Active Directory / Microsoft Entra ID (formerly Azure AD) setting related to cloud password policy for users with passwords synced from on-premises . Specifically, the string: cloudpasswordpolicyforpasswordsyncedusersenabled maps to a setting in Microsoft Entra Connect or Entra ID protection policies that determines whether cloud-based password policies (like Entra ID password protection) are applied to users whose passwords originate from on-prem Active Directory. Below is content you can use — depending on your audience (IT admin, security team, or documentation).
1. Short definition (for docs or KB) Cloud Password Policy for Password Synced Users Enabled When enabled, this setting enforces Microsoft Entra ID password policies (e.g., banned password lists, password expiration, complexity) on users who have their passwords synced from on-premises Active Directory via Entra Connect. Normally, synced users follow on-prem AD policies; enabling this adds a cloud policy layer without changing the on-prem password. cloudpasswordpolicyforpasswordsyncedusersenabled
2. Detailed technical explanation Setting name (internal/Microsoft Graph): cloudPasswordPolicyForPasswordSyncedUsersEnabled Where it’s used:
Microsoft Entra ID Protection Password protection policies Authentication methods policy
Behavior:
Enabled = true → Users with password hash sync must meet both on-prem AD password policy and the cloud password policy (e.g., global banned password list, custom banned passwords, optional cloud complexity rules). Enabled = false (default for many tenants) → Only the on-prem Active Directory password policy applies to synced users.
Why enable it:
To prevent use of weak/breached passwords synced from on-prem AD. To enforce consistent cloud password protection even if on-prem policy is weak. Required for features like password hash sync + password protection agent fallback. In the land of Microsoft Entra , there
Important note:
Does not change the password expiration policy from on-prem. Does not affect cloud-only users separately (they always follow cloud policy). If password writeback is enabled, enforcing cloud policy can cause password changes to be rejected unless they also satisfy on-prem policy.