I'm looking to understand how Entra ID Password Protection operates for hybrid users who work with hybrid desktops or laptops. While I know that it helps prevent the use of passwords found in leaked databases, I'm curious about what happens if a user's credentials get compromised later on. Specifically, can a forced password change be triggered for these users when they are identified as risky, especially if they are only signing in on-premises?
If a user's credentials show up in a leaked database, Conditional Access policies can require them to change their password. Will hybrid users see prompts to change their passwords through their Office 365 applications, or does the password change request only occur when they sign in to their Office 365 accounts through the cloud? Also, can anyone clarify if this setup, combined with non-expiring passwords in on-premises AD, meets NIST's requirements for monitoring account compromise?
1 Answer
There might be some elements in the Risky Users policies that could help. But I think you’ll need an additional license for certain capabilities with M365, particularly if you're focusing on Risky Users behavior. You can definitely set up a policy that triggers self-recovery, but make sure you're using MFA and have on-premises password changes enabled too.
You're right about the license. They’ll need P2 to leverage those policies effectively.