Cloudpasswordpolicyforpasswordsyncedusersenabled Here

By default, when you configure Password Hash Synchronization (PHS), Microsoft Entra Connect sets the PasswordPolicies attribute of synced users to DisablePasswordExpiration . This means that if an employee's password expires in the local Active Directory (AD), they can still authenticate into cloud resources indefinitely using their old credentials. Enrolling in this feature mitigates this massive security gap. Why the Default Behavior is a Security Risk

PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy cloudpasswordpolicyforpasswordsyncedusersenabled

When enabled, this setting enforces Microsoft Entra ID password policies (e.g., banned password lists, password expiration, complexity) on users who have their passwords synced from on-premises Active Directory via Entra Connect. Normally, synced users follow on-prem AD policies; enabling this adds a cloud policy layer without changing the on-prem password. By default, when you configure Password Hash Synchronization

A: Your organization has enabled “Cloud Password Policy for Password Synced Users.” Even though your password works on-premises, it might be on Microsoft’s global banned password list or too common. You’ll need to choose a stronger password that satisfies both policies. Why the Default Behavior is a Security Risk