Azure AD Password Policy – Complete Guide

Azure AD Password policies help you to secure your Microsoft 365 tenant. The policy defines how strong a password must be when they expire, and how many logins attempts a user can do before they are locked out.

With cloud-only accounts, you can’t change the password policy. But when you have a local domain-joined Windows server then you can use local policies to overwrite the Azure AD policy.

In this article, we are going to take a look at the default Azure AD Password Policy. And how you can install and use the Active Directory Administrative Tools to create a custom policy.

Default Azure AD Password Policy

Microsoft has a pre-defined password policy that is used for all cloud-only Office 365 accounts. Cloud-only means that you create and manage your user accounts from the Microsoft 365 Admin Center. The other option is a hybrid environment, where you synchronize your user accounts between Office 365 and your local domain controller.

The Aure Active Directory Password Policy requirements are:

PropertyRequirements
Password lengthMinimum 8 characters – max 256
Password complexityThree out of the four following:
– lowercase character
– uppercase character
– number
– symbol
Allow characters– A – Z
– a – z
– 0 – 9
– @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < >
– blank space
Password expiresNot (can be changed)
Password expiry duration90 days (only when password expiry is enabled)
Password expiry duration notification14 days before the password expires
Password historyLast password can’t be used again
Password reset historyLast password can be used when the user has forgotten the password.
Lockout threshold10 (the account is locked after 10 failed login attempts)
Lockout duration60 seconds
azure ad password policy

Most part of the password policy can’t be changed when using cloud-only accounts. You can only enable password expiration and change the duration. If you have an Azure AD Premium plan in your Office 365 license then have a couple of more options when it comes to password protection.

Note

Using password expiration is not recommened. It will result in users that use predicatable password, and it doesn’t give any security benefits. When password are stolen after a succesfull phishing attempt they are almost always used immidiately by cybercriminals.

Enable Azure AD Password Expiration

By default, password expiration is disabled in Office 365. But even though it’s not recommended, you can still enable password expiration for your tenant. There are no license requirements for this, you only need to have access to the Microsoft 365 admin center.

  1. Open Microsoft 365 Admin Center
  2. Open Settings > Org settings
  3. Click on the Security & Privacy tab
  4. Open the Password Expiration Policy
azure ad password policy
  1. Enable “Set user passwords to expire after a number of days”
  2. Optionally, change the number of days before the password expires and the notification.
  3. Click Save to apply the settings

Using PowerShell to set the Password Policy

We can also use PowerShell to enable password expiration in Microsoft 365. For this we are going to need the Msol module in PowerShell, make sure that you have installed it.

To enable the password expiration we will need to set the validityperiod and notificationdays of the password policy:

# Connect to Msol services
Connect-MsolService

# Set and enable the password expiration policy
Set-MsolPasswordPolicy -DomainName lazydev.onmicrosoft.com -ValidityPeriod 180 -NotificationDays 30

Azure Password Protection

Azure Password Protection helps to keep your accounts safe. It determines after how many failed login attempts an account locks out and it allows you to create a custom banned password list. Words added to the custom banned password list can’t be used in the password that users create.

Tip

You can use this Microsoft 365 overview to check if your license has an Azure AD Premium plan.

To change the Azure AD Password Protection settings we will need to open the Azure AD portal:

  1. Go to portal.azure.com
  2. Open the Azure Active Directory
  3. Click on Security > Authentication Methods >Password Protection
Azure AD Password Protection
Azure AD Password Protection
  1. Here you can change the lockout threshold, which defines after how many attempts the account is locked out
  2. The lock duration defines how long the user account is locked in seconds
  3. To use a custom banned password list, enable the Enfore custom list setting and define the words that you want to ban.

Change Azure AD Password Policy

It’s not possible to change the Azure AD Password policy if you only have cloud-based user accounts. There is however an option to change the password policy, but for that, you will need a local server, that is synced with Azure AD. Because Azure Active Directory will follow the password policy of your local domain controller.

Before we continue, in the example below I already have set up a domain controller that is synced with Azure AD.

  1. On your domain controller open Active Directory Administrative Center
  2. Click on your local domain
  3. Open the Password Settings Container in the System container
  1. On the right side, click on New and select Password Settings
  1. We can now change the password policy. Make sure you set the precedence to 1 to override the default password policy.

Note

The account lockout settings only applies the the local domain and not to the Azure AD. This means that the default Azure AD lockout settings will be used for failed sign-ins in Office 365.
Change Password Policy
Change Password Policy
  1. Under Directly Applies to click on Add
  2. Select a Group to apply the policy to. I have chosen all Domain Users here
Apply Password Policy to a Group
Apply Password Policy to a Group
  1. Click ok to save and apply the password policy

The password policy will automatically be synced to Azure AD.

Wrapping Up

The default Azure AD password policy that is used for Office 365 cloud-only accounts is strong enough for most use-cases. If you really need to change the minimum password length then your only option is to use a local domain controller and use Azure AD Sync to synchronize the policy settings.

If you have any questions just drop a comment below.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share