I've recently started working with contained databases and I do not understand if/how contained database users have passwords that expire.
MSDN documentation says they do – With a SQL Server login, there's the option box to Enforce Password Expiration but this does not exist (as far as I can tell) for contained database users.
These contained database accounts have been around for a while and our domain policy is to reset passwords every 6 months, but we have never had to change these passwords, and the applications are connecting just fine using the same password for the past couple of years.
My first question is how do I know that "Password Expiration" is being enforced for contained database users? With SQL Logins there's a is_expiration_checked column in sys.sql_logins.
With traditional SQL logins I can use following function to get the time a SQL Server login was changed
LOGINPROPERTY('login','PasswordLastSetTime')
Is there something similar for contained database users?
Best Answer
Ok, so it looks like only password complexity requirements apply and not expiration - https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017 - "Note SQL Database enforces password complexity. The password expiration and policy enforcement sections do not apply to SQL Database."