diff --git a/internal/common/eventmanager.go b/internal/common/eventmanager.go
index 2b5da1b4..b94a1816 100644
--- a/internal/common/eventmanager.go
+++ b/internal/common/eventmanager.go
@@ -2137,10 +2137,17 @@ func executeMetadataCheckRuleAction(conditions dataprovider.ConditionOptions, pa
 
 func executePwdExpirationCheckForUser(user *dataprovider.User, config dataprovider.EventActionPasswordExpiration) error {
 	if err := user.LoadAndApplyGroupSettings(); err != nil {
-		eventManagerLog(logger.LevelError, "skipping password expiration check for user %s, cannot apply group settings: %v",
+		eventManagerLog(logger.LevelError, "skipping password expiration check for user %q, cannot apply group settings: %v",
 			user.Username, err)
 		return err
 	}
+	if user.ExpirationDate > 0 {
+		if expDate := util.GetTimeFromMsecSinceEpoch(user.ExpirationDate); expDate.Before(time.Now()) {
+			eventManagerLog(logger.LevelDebug, "skipping password expiration check for expired user %q, expiration date: %s",
+				user.Username, expDate)
+			return nil
+		}
+	}
 	if user.Filters.PasswordExpiration == 0 {
 		eventManagerLog(logger.LevelDebug, "password expiration not set for user %q skipping check", user.Username)
 		return nil
diff --git a/internal/common/eventmanager_test.go b/internal/common/eventmanager_test.go
index fd666ec3..7713d43b 100644
--- a/internal/common/eventmanager_test.go
+++ b/internal/common/eventmanager_test.go
@@ -1207,13 +1207,24 @@ func TestUserExpirationCheck(t *testing.T) {
 			ExpirationDate: util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour)),
 		},
 	}
+	user.Filters.PasswordExpiration = 5
 	err := dataprovider.AddUser(&user, "", "", "")
 	assert.NoError(t, err)
 
-	err = executeUserExpirationCheckRuleAction(dataprovider.ConditionOptions{}, &EventParams{})
+	conditions := dataprovider.ConditionOptions{
+		Names: []dataprovider.ConditionPattern{
+			{
+				Pattern: username,
+			},
+		},
+	}
+	err = executeUserExpirationCheckRuleAction(conditions, &EventParams{})
 	if assert.Error(t, err) {
 		assert.Contains(t, err.Error(), "expired users")
 	}
+	// the check will be skipped, the user is expired
+	err = executePwdExpirationCheckRuleAction(dataprovider.EventActionPasswordExpiration{Threshold: 10}, conditions, &EventParams{})
+	assert.NoError(t, err)
 
 	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)