Azure AD Password policies help you to secure your Microsoft 365 tenant. The policy defines how strong a password must be when they expire, and how many logins attempts a user can do before they are locked out.
With cloud-only accounts, you can’t change the password policy. But when you have a local domain-joined Windows server then you can use local policies to overwrite the Azure AD policy.
In this article, we are going to take a look at the default Azure AD Password Policy. And how you can install and use the Active Directory Administrative Tools to create a custom policy.
Default Azure AD Password Policy
Microsoft has a pre-defined password policy that is used for all cloud-only Office 365 accounts. Cloud-only means that you create and manage your user accounts from the Microsoft 365 Admin Center. The other option is a hybrid environment, where you synchronize your user accounts between Office 365 and your local domain controller.
The Aure Active Directory Password Policy requirements are:
| Property | Requirements |
|---|---|
| Password length | Minimum 8 characters – max 256 |
| Password complexity | Three out of the four following: – lowercase character – uppercase character – number – symbol |
| Allow characters | – A – Z – a – z – 0 – 9 – @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < > – blank space |
| Password expires | Not (can be changed) |
| Password expiry duration | 90 days (only when password expiry is enabled) |
| Password expiry duration notification | 14 days before the password expires |
| Password history | Last password can’t be used again |
| Password reset history | Last password can be used when the user has forgotten the password. |
| Lockout threshold | 10 (the account is locked after 10 failed login attempts) |
| Lockout duration | 60 seconds |
Most part of the password policy can’t be changed when using cloud-only accounts. You can only enable password expiration and change the duration. If you have an Azure AD Premium plan in your Office 365 license then have a couple of more options when it comes to password protection.
Note: Using password expiration is not recommened. It will result in users that use predicatable password, and it doesn’t give any security benefits. When password are stolen after a succesfull phishing attempt they are almost always used immidiately by cybercriminals.
Enable Azure AD Password Expiration
By default, password expiration is disabled in Office 365. But even though it’s not recommended, you can still enable password expiration for your tenant. There are no license requirements for this, you only need to have access to the Microsoft 365 admin center.
- Open Microsoft 365 Admin Center
- Open Settings > Org settings
- Click on the Security & Privacy tab
- Open the Password Expiration Policy
- Enable “Set user passwords to expire after a number of days”
- Optionally, change the number of days before the password expires and the notification.
- Click Save to apply the settings
Using PowerShell to set the Password Policy
We can also use PowerShell to enable password expiration in Microsoft 365. For this we are going to need the Msol module in PowerShell, make sure that you have installed it.
To enable the password expiration we will need to set the validityperiod and notificationdays of the password policy:
1. # Connect to Msol services 2. Connect-MsolService 3. 4. # Set and enable the password expiration policy 5. Set-MsolPasswordPolicy -DomainName lazydev.onmicrosoft.com -ValidityPeriod 180 -NotificationDays 30
Azure Password Protection
Azure Password Protection helps to keep your accounts safe. It determines after how many failed login attempts an account locks out and it allows you to create a custom banned password list. Words added to the custom banned password list can’t be used in the password that users create.
TipYou can use this Microsoft 365 overview to check if your license has an Azure AD Premium plan.
To change the Azure AD Password Protection settings we will need to open the Azure AD portal:
- Go to portal.azure.com
- Open the Azure Active Directory
- Click on Security > Authentication Methods >Password Protection
- Here you can change the lockout threshold, which defines after how many attempts the account is locked out
- The lock duration defines how long the user account is locked in seconds
- To use a custom banned password list, enable the Enfore custom list setting and define the words that you want to ban.
Change Azure AD Password Policy
It’s not possible to change the Azure AD Password policy if you only have cloud-based user accounts. There is however an option to change the password policy, but for that, you will need a local server, that is synced with Azure AD. Because Azure Active Directory will follow the password policy of your local domain controller.
Before we continue, in the example below I already have set up a domain controller that is synced with Azure AD.
- On your domain controller open Active Directory Administrative Center
- Click on your local domain
- Open the Password Settings Container in the System container
4. On the right side, click on New and select Password Settings
- We can now change the password policy. Make sure you set the precedence to 1 to override the default password policy.
Note: The account lockout settings only applies the the local domain and not to the Azure AD. This means that the default Azure AD lockout settings will be used for failed sign-ins in Office 365.
- Under Directly Applies to click on Add
- Select a Group to apply the policy to. I have chosen all Domain Users here
- Click ok to save and apply the password policy
The password policy will automatically be synced to Azure AD.
Wrapping Up
The default Azure AD password policy that is used for Office 365 cloud-only accounts is strong enough for most use-cases. If you really need to change the minimum password length then your only option is to use a local domain controller and use Azure AD Sync to synchronize the policy settings.
If you have any questions just drop a comment below.