In this blog post I will go through the process of enabling password expiration within the Microsoft 365 portal. I will also go through the default password options within Azure AD.
Note: this only applies if you’re utilising a Microsoft cloud only setup.
Also, at the time of writing this post, Azure AD does not allow configuring password expiration from the Azure portal. You must carry out this action via Powershell or from the 365 portal.
If you were not already aware, Microsoft recommend that the default password policy of password never expires is left in place unless absolutely necessary. According to Microsoft’s website research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire. Your current policy is set to never let passwords expire.
Microsoft also highlight this within the Azure Portal secure score section as shown below
If there is requirement for you to set passwords to expire within the Cloud, let’s continue with the demo
- Login to portal.office.com
- Click Settings and Org settings
3. Click Security & privacy
4. Click Password and expiration policy
5. By default passwords are set to never expire. Click the option Set user passwords to expire after a number of days
6. Configure settings as required, or leave the defaults and click save
Moving on, let’s take a look at the default Azure password configuration
1) Click the link to launch the Azure Active Directory admin center
2) Click Azure Active Directory
3) Click Security from the left pane
4) Click Authentication Methods
5) Click Password protection
6) and here are the default settings
The audit option applies to the custom list of banned passwords. If set to Enforce, users will be prevented from setting banned passwords and the attempt will be blocked. If set to Audit, the attempt will only be logged.