Azure Active Directory Password Policies
The Azure Active Directory (AAD) password policies affect the users in Office 365. If you are an AAD Administrator or an Office 365 Global Administrator, you will find the password policies configuration options documented in this article useful. If your organization allows users to reset their own passwords, then make sure you share this information with the users because it’s important for them to know what they can or cannot do when they use the Self-Service Password Reset (SSPR) feature in AAD.
According to Microsoft, the following password policies and complexity requirements in AAD, that are associated with an Office 365 tenant, apply to all users.
User Principal Name (UPN) Policies
A user principle name in AAD (and on-premises Active Directory (AD)) refers to the format that is used to sign in to Active Directory. It looks similar to a user’s email account and is usually (but, not always) the user’s email account. For example, BillGates@Contoso.com is the UPN that Bill would use to sign in to his Active Directory account, whether he is signing in to his Office 365 online portal in the cloud or to his Active Directory on-premises account.
The following policies apply to both AAD and AD user accounts.
| UPN Policies that Apply to Azure Active Directory and On-Premises Active Directory Accounts | |
| Property | UPN Requirements |
| Characters allowed |
|
| Characters not allowed |
|
| Length constraints |
|
The following policies apply only to Azure AAD user accounts.
| UPN Policies that Apply Only to Azure Active Directory User Accounts in the Cloud | |
| Property | UPN Requirements |
| Characters allowed |
|
| Characters not allowed |
|
| Password restrictions |
|
| Password expiry duration |
|
| Password expiry notification |
|
| Password expiry |
|
| Password change history | The last password can’t be used again when the user changes a password |
| Password reset history | The last password can be used again when the user resets a forgotten password |
| Account lockout | After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time |
If you are a Global Administrator of your Office 365 tenancy, you can check the password policies quickly by using the Azure Active Directory PowerShell module. You can also use this module to manage your password expiration policy. Here’s how.
Check Current Password Expiration Policy
- Download and install the AAD PowerShell module. Visit https://www.powershellgallery.com/ and search for MSOnline PowerShell for Azure Active Directory. The module requires .NET Framework 4.5 or above and you can install it on Windows Server 2008 SP1 and later servers or Windows 7.1 SP1 and later clients. For detailed installation requirements and documentation visit this page.
- Sign in using your company’s administrator credentials.
- If you want to check the password never expires setting for ALL USERS, use the following command.
Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires - To see whether a user’s password is configured to never expire, use the following command.
Get-MSOLUser -UserPrincipalName <user ID> | Select PasswordNeverExpires
For example, Get-MSOLUser -UserPrincipalName BillGates@Contoso.com | Select PasswordNeverExpires.
Set Azure AD Password Policy Using PowerShell
- Download and install the AAD PowerShell module. Visit https://www.powershellgallery.com/ and search for MSOnline PowerShell for Azure Active Directory. The module requires .NET Framework 4.5 or above and you can install it on Windows Server 2008 SP1 and later servers or Windows 7.1 SP1 and later clients. For detailed installation requirements and documentation visit this page.
- Sign in using your company’s administrator credentials.
- To set the password expiration for ALL USERS in your Office 365 tenant, use the following command.
Get-MsolUser | Set-MsolUser -PasswordNeverExpires $false
This will set the passwords for all users to expire after a period configured by the Global Administrator. The default value is 90 days. For security reasons, you should set the password for users to always expire. However, if for some reason you want to reverse the setting and set the password to never expire for ALL USERS then change the $false at the end of the line to $true, as follows.
Get-MsolUser | Set-MsolUser -PasswordNeverExpires $true - To set the password expiration for ONLY ONE USER in your Office 365 tenant, use the following command.
Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $false
For example, Set-MsolUser -UserPrincipalName BillGates@Contoso.com -PasswordNeverExpires $false.
This will set Bill Gates’ password to expire. If for some reason you want to reverse the setting and set the password to never expire then change the $false at the end of the line to $true, as follows.
Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true
For example, Set-MsolUser -UserPrincipalName BillGates@Contoso.com -PasswordNeverExpires $true
Be careful when you change your password policies, especially when you change them for all the users because it can have an impact on a lot of people.
| Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.
