Configuring Organization’s Password Policy in Microsoft 365 (Office 365)

Microsoft 365 (Office 365) password policies allow you to increase the security of your Azure tenant by using strong rules for user password complexity, lockout threshold and duration, password history, and more. In this article, we’ll look at the specifics of organization’s password policy in a Microsoft 365 tenant.

When you deploy a new Azure tent, it already has an optimal password policy enabled and configured that is suitable for most organizations. Here is a list of default Azure password policy settings:

  • Characters allowed (A – Z, a – z, 0 – 9, @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < >, blank spaces);
  • Unicode characters are no allowed;
  • Minimum password length — 8 characters;
  • Password complexity — require there out of four rules (Lowercase characters, Uppercase characters, Numbers, Special symbols);
  • Password expires — never;
  • Password change history – not allowed to use last password;
  • Lockout threshold — 10 failed logon attempts;
  • Lockout duration — 60 seconds.

The Azure password policy applies to all user accounts in Azure AD.

Most of the Azure AD password policy settings cannot be changed. Microsoft 365 tenant admin can only configure:

  • Password Expiration Policy — allows you to configure the password expiration settings for user accounts (in on-prem AD this policy is configured as follows);
  • Account lockout settings — how many failed login attempts can a user make before its account is locked (see How to configure account lockout policy in Active Directory);
  • Set a list of custom banned passwords with Azure AD Password Protection (requires an Azure AD Premium P1 license).

You can configure your organization’s password policy settings via the Microsoft 365 Admin Center.

Note. Your account must have Global Admin permissions to make changes to the Microsoft 365 password policy.

  1. Sign-in https://portal.office.com/Adminportal/Home/#/homepage and go to Settings > Org settings; office 365 password policy
  2. Switch to the Security and Privacy tab;
  3. Find the Password expiration policy option. In this policy, you can configure whether the user’s password should expire in the organization; o365 password policy
  4. By default, the Set passwords to never expire option is enabled for all Microsoft 365 tenants. This option is recommended by Microsoft. From the point of view of security experts, the enabled password expiration policy do more harm than good. The requirement to change passwords regularly forces users to select predictable passwords, composed of sequential words and closely numbers.
  5. You can enable password expiration policy and specify the number of days before the password expires; password policy microsoft 365
  6. Save the changes and the new password policy will be applied to all users in the organization.

You can change the account lockout setting in the password policy using the Azure Portal:

  1. Go to https://portal.azure.com/;
  2. Select Azure Active Directory > Security > Authentication Methods > Password Protection;
  3. Here you can change the following options:
    Lockout threshold — 10 (default)
    Lockout duration in second — 60 (default)
    Set a list of custom banned passwords (Enable custom list).
    office 365 password expired
  4. In addition, here you can enable the Enable password protection on Windows Server Active Directory feature. It allows apply the list of banned passwords from Azure to your on-prem Active Directory domain controllers when the appropriate Azure AD Password Protection agent is installed.

Note that the Azure password policy doesn’t apply to users synced from on-premises Active Directory. Be sure to enable and configure a domain password policy in your on-prem AD domain if you’re syncing users through Azure AD Connect.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.