Setup a good password policy in Azure AD

A good password policy is the first step on securing your environment and company data. Without a password policy in place you can be sure that a lot of users will take a password that can be easily guessed and/or brute forced in less than 5 minutes.

Passwords, never use simple passwords

Default Azure AD Password policy

By using Azure Active Directory you will automatically use the default Azure AD password policy. The default settings can be found in the following table:

PropertyRequirements
Characters allowedA – Z a – z 0 – 9
@ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < >
blank space
Characters not allowedUnicode characters.
Password restrictionsA minimum of 8 characters and a maximum of 256 characters.Requires three out of four of the following:Lowercase characters.Uppercase characters.Numbers (0-9).Symbols (see the previous password restrictions).
Password expiry duration (Maximum password age)Default value: 90 days.
The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.
Password expiry notification (When users are notified of password expiration)Default value: 14 days (before password expires).
The value is configurable by using the Set-MsolPasswordPolicy cmdlet.
Password expiry (Let passwords never expire)Default value: false (indicates that password’s have an expiration date).
The value can be configured for individual user accounts by using the Set-MsolUser cmdlet.
Password change historyThe last password can’t be used again when the user changes a password.
Password reset historyThe last password can be used again when the user resets a forgotten password.
Default Azure AD Policy

On top of the requirements above all Azure AD tenants use Azure AD Password Protection. This feature will eliminate all weak password by blocking known weak passwords. Microsoft has a list of global banned passwords that is kept up to date by analyzing Azure AD security telemetry data. They look for commonly used passwords that are weak and/or compromised.

On top of this list it is possible to add Custom banned passwords to this policy on top of the global list. This way you can block passwords that are primarily focused on organizational-specific terms like brand names and product names. To be able to use this future you will need to have an Azure AD Premium P2 license.

Microsoft password guidance

Microsoft has created a great security guidance guide to use. I am using this guidance to give you some tips and tricks how to improve security in your environment.

How to change password protection settings

To set this option you can go to https://portal.azure.com and navigate to Azure AD, Security, Authentication Methods, Password protection.

Azure AD Password protection Authentication Methods

If you want to enable Password protection for Windows Server Active Directory servers you will need to download and install the Password protection agent.

Enable MFA

I cannot repeat this enough, enable Multi Factor Authentication. If not done so, please make this your first priority. When MFA is enabled it reduces the risk to be abused with more than 90 percent.

My recommendation is to use Azure Conditional Access policies, but if you don’t have the proper license you can use the default Office 365 MFA. In the following portal you can setup MFA: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx

Remove password expiration policy

Microsoft recommends not to expire passwords after a certain time. I believe this is a good practice, as long as you have MFA!

If you want to remove the password policy go to the Office 365 Admin Center https://admin.microsoft.com/adminportal and go to Settings, org settings, Security & Privacy, Password expiration policy.

Office 365 remove password expiration policy

More information

Self-service password reset policies – Azure Active Directory | Microsoft Docs

Add a Comment

Your email address will not be published. Required fields are marked *