Two long-anticipated features have entered public preview in Azure AD Connect, killing off one of the last arguments for staying on AD FS or Pass-Through Authentication:

It makes little sense to enforce password expiration on-prem and have it go away after syncing to Azure AD. Same goes for enforcing temporary passwords after helpdesk resets.

Many admins have been using PowerShell workarounds or stayed with AD FS/PTA because of this gap.

If this misalignment never crossed your mind, reconsider why you have password expiration at all. Microsoft and NIST now advocate longer passwords that don't expire, paired with good MFA.

Run this against Azure AD (e.g., via Azure Cloud Shell):

This disables the default behavior where synced user cloud identities are set to "password never expires."

Run this on your Azure AD Connect server:

Available now in preview. Microsoft preview features hold no production obligations, but abuse of this right is rare. Enable it and test.

Users signing in with a temporary password through a cloud service will set their permanent password in Azure AD, NOT directly back to on-prem AD. You need PASSWORD WRITEBACK and SSPR enabled for that.

Disabled accounts can still sign in to cloud services even when the on-prem account expiration attribute is set. If you just disable terminated users (rather than expire them), Azure AD Connect will sync the disabled state properly.

Service accounts will now get their passwords expired. Fix this per-account:

Your local password policy is NOT synced to Azure AD. If your on-prem policy expires at 120 days but Azure AD defaults to 90 days, users will get confused by mismatched expiration prompts. Align both policies.

Use new knowledge responsibly and remember to share. These features represent important steps in unifying the identity experience between on-prem AD and Azure AD.