Alexander's Blog

Sharing knowledge with the global IT community since November 1, 2004

Azure Active Directory Password Policies

/
/
Security

The Azure Active Directory (AAD) password policies affect the users in Office 365. If you are an AAD Administrator or an Office 365 Global Administrator, you will find the password policies configuration options documented in this article useful. If your organization allows users to reset their own passwords, then make sure you share this information with the users because it’s important for them to know what they can or cannot do when they use the Self-Service Password Reset (SSPR) feature in AAD.

According to Microsoft, the following password policies and complexity requirements in AAD, that are associated with an Office 365 tenant, apply to all users.

User Principal Name (UPN) Policies

A user principle name in AAD (and on-premises Active Directory (AD)) refers to the format that is used to sign in to Active Directory. It looks similar to a user’s email account and is usually (but, not always) the user’s email account. For example, BillGates@Contoso.com is the UPN that Bill would use to sign in to his Active Directory account, whether he is signing in to his Office 365 online portal in the cloud or to his Active Directory on-premises account.

The following policies apply to both AAD and AD user accounts.

UPN Policies that Apply to Azure Active Directory and On-Premises Active Directory Accounts
Property UPN Requirements
Characters allowed
  • Uppercase characters: A-Z
  • Lowercase characters: a-z
  • Numbers: 0-9
  • Special characters: ! – _ # . ^ ~
Characters not allowed
  • Any “@” character that’s not separating the username from the domain
  • Can’t contain a period character “.” immediately preceding the “@” symbol
Length constraints
  • The total length must not exceed 113 characters
  • There can be up to 64 characters before the “@” symbol
  • There can be up to 48 characters after the “@” symbol

The following policies apply only to Azure AAD user accounts.

UPN Policies that Apply Only to Azure Active Directory User Accounts in the Cloud
Property UPN Requirements
Characters allowed
  • Uppercase characters: A-Z
  • Lowercase characters: a-z
  • Numbers: 0-9
  • Special characters: @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;
Characters not allowed
  • Unicode characters
  • Spaces
  • Strong passwords only
Password restrictions
  • A minimum of 8 characters and a maximum of 16 characters.
  • Strong passwords only: Requires three out of four of the following:
    • Lowercase characters
    • Uppercase characters
      • Numbers (0-9)
    • Symbols (see the previous password restrictions)
Password expiry duration
  • Default value: 90 days
  • The value is configurable by using the Set-MsolPasswordPolicy cmdlet in AAD Module for Windows PowerShell
Password expiry notification
  • Default value: 14 days (before password expires)
    • The value is configurable by using the Set-MsolPasswordPolicy cmdlet in AAD Module for Windows PowerShell
Password expiry
  • Default value: false days (indicates that password expiry is enabled)
  • The value can be configured for individual user accounts by using the Set-MsolUser cmdlet
Password change history The last password can’t be used again when the user changes a password
Password reset history The last password can be used again when the user resets a forgotten password
Account lockout After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time

If you are a Global Administrator of your Office 365 tenancy, you can check the password policies quickly by using the Azure Active Directory PowerShell module. You can also use this module to manage your password expiration policy. Here’s how.

Check Current Password Expiration Policy

  1. Download and install the AAD PowerShell module. Visit https://www.powershellgallery.com/ and search for MSOnline PowerShell for Azure Active Directory. The module requires .NET Framework 4.5 or above and you can install it on Windows Server 2008 SP1 and later servers or Windows 7.1 SP1 and later clients. For detailed installation requirements and documentation visit this page.
  2. Sign in using your company’s administrator credentials.
  3. If you want to check the password never expires setting for ALL USERS, use the following command.
    Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
  4. To see whether a user’s password is configured to never expire, use the following command.
    Get-MSOLUser -UserPrincipalName <user ID> | Select PasswordNeverExpires
    For example, Get-MSOLUser -UserPrincipalName BillGates@Contoso.com | Select PasswordNeverExpires.

Set Azure AD Password Policy Using PowerShell

  1. Download and install the AAD PowerShell module. Visit https://www.powershellgallery.com/ and search for MSOnline PowerShell for Azure Active Directory. The module requires .NET Framework 4.5 or above and you can install it on Windows Server 2008 SP1 and later servers or Windows 7.1 SP1 and later clients. For detailed installation requirements and documentation visit this page.
  2. Sign in using your company’s administrator credentials.
  3. To set the password expiration for ALL USERS in your Office 365 tenant, use the following command.
    Get-MsolUser | Set-MsolUser -PasswordNeverExpires $false
    This will set the passwords for all users to expire after a period configured by the Global Administrator. The default value is 90 days. For security reasons, you should set the password for users to always expire. However, if for some reason you want to reverse the setting and set the password to never expire for ALL USERS then change the $false at the end of the line to $true, as follows.
    Get-MsolUser | Set-MsolUser -PasswordNeverExpires $true
  4. To set the password expiration for ONLY ONE USER in your Office 365 tenant, use the following command.
    Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $false
    For example, Set-MsolUser -UserPrincipalName BillGates@Contoso.com -PasswordNeverExpires $false.
    This will set Bill Gates’ password to expire. If for some reason you want to reverse the setting and set the password to never expire then change the $false at the end of the line to $true, as follows.
    Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true
    For example, Set-MsolUser -UserPrincipalName BillGates@Contoso.com -PasswordNeverExpires $true

Be careful when you change your password policies, especially when you change them for all the users because it can have an impact on a lot of people.

Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.

Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.

  • Facebook
  • Twitter
  • Linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar