@davidmundt it's not currently possible if relying exclusively on Azure AD. When AD is involved, Connect requires being able to connect back to AD on-premise to get information about password expiration. 

I just found this:

Password Syncing with Jamf Connect - Jamf Connect Administrator's Guide | Jamf

Is there a reason why an Azure only setup wouldn't work? According to the Jamf documentation, it should, but I have not been able to test it yet.

We are currently using Azure AD only on our Macs. but the JCL menu bar app doesnt show the password expiration like Nomad did. My users are relying on Azure AD to popup in a browser to alert them to the need for a password change.

Have you already set in the configuration profile these two values?

<key>ExpirationCountdownStartDay</key>

<integer>14</integer>

<key>ExpirationNotificationStartDay</key>

<integer>7</integer>

I have not tried those keys. I was under the impression they were for AD not Azure AD but I will give them a try. Thanks!!!

I do have those keys set and I still don't get the password expiration date listed in the Menu Bar app.

In our environment we also had to set the Kerberos realm so tickets were pushed to our Mac's from the local AD. Now the countdown shows up in the menu bar.

I still have not gotten the expiration notification to work though.

We are all remote and relying on Azure AD for the IDP. I'd love to get it to show days till expiration but it still doesnt.

Do you have an example of this? 

I have Kerberos tickets getting pushed and I still do not see the countdown

Here is our Jamf Connect keys regarding the countdown and notification popup:

<key>PasswordPolicies</key>

<dict>

<key>ExpirationCountdownStartDay</key>

<integer>14</integer>

<key>ExpirationNotificationStartDay</key>

<integer>7</integer>

</dict>

Thanks!

I took over our Jamf Management on the computer side, and a lot of things weren't configured correctly, in this case (i hadn't thought to check this) our kerberos realm was wrong.

We are seeing the expiration password counter. But some of our end-users see a -22 (for example) counter in the menu bar or after a successful password change there is the wrong number of days. Does anyone see this and have success correcting it?  

We have a K-Realm and the configuration is set correctly.  it is more annoying than anything. 

Being on a VPN sometimes fixes this and sometimes it does not. 

kinit and reentering the K-Realm password for the end user and restarting Jamf Connect do not correct the counter.

We're Okta with OIDC and AD... (not an identity protect specialist, hacking away as best I can without access to the big boy tools). With Enterprise Connect and Kerberos SSO our clients can see how many days remain until their password expires (immediately the same day they change their password). But JamfConnect only shows the options to warning X days before? Nothing to show how many days remain if outside the short time warnings?

Anyone got this working?
I'm using Jamf Connect with Azure AD only and do not get any password notifications or see anything like days to expire or so.

The computer needs to be on a network that can see AD to get the password expiring. That info does not come thru Azure.

That is correct.

Your AAD should have access to Kerberos and AD. It also helps to frequently kill (refresh) that ticket for the client. Our JCClient does it each time the user clicks connect or logs out, and we definitely use SSPR when the user changes their password.