{"id":10220,"date":"2018-09-24T06:05:07","date_gmt":"2018-09-24T13:05:07","guid":{"rendered":"https:\/\/www.zubairalexander.com\/stage\/?p=10220"},"modified":"2018-09-24T07:39:31","modified_gmt":"2018-09-24T14:39:31","slug":"azure-active-directory-password-policies","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/azure-active-directory-password-policies\/","title":{"rendered":"Azure Active Directory Password Policies"},"content":{"rendered":"<p>The Azure Active Directory (AAD) password policies affect the users in Office 365. If you are an AAD Administrator or an Office 365 Global Administrator, you will find the password policies configuration options documented in this article useful. If your organization allows users to reset their own passwords, then make sure you share this information with the users because it&#8217;s important for them to know what they can or cannot do when they use the Self-Service Password Reset (SSPR) feature in AAD.<\/p>\n<p>According to <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-sspr-policy\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a>, the following password policies and complexity requirements in AAD, that are associated with an Office 365 tenant, apply to all users.<\/p>\n<h4><strong>User Principal Name (UPN) Policies<\/strong><\/h4>\n<p>A user principle name in AAD (and on-premises Active Directory (AD)) refers to the format that is used to sign in to Active Directory. It looks similar to a user&#8217;s email account and is usually (but, not always) the user&#8217;s email account. For example, <strong>BillGates@Contoso.com<\/strong> is the UPN that Bill would use to sign in to his Active Directory account, whether he is signing in to his Office 365 online portal in the cloud or to his Active Directory on-premises account.<\/p>\n<p>The following policies apply to both AAD and AD user accounts.<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\" colspan=\"2\"><span style=\"font-size: 14pt;\"><strong>UPN Policies that Apply to Azure Active Directory and On-Premises Active Directory Accounts<\/strong><\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\"><strong>Property<\/strong><\/td>\n<td style=\"text-align: left; vertical-align: top;\"><strong>UPN Requirements<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Characters allowed<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Uppercase characters: <strong>A-Z<\/strong><\/li>\n<li>Lowercase characters: <strong>a-z<\/strong><\/li>\n<li>Numbers: <strong>0-9<\/strong><\/li>\n<li>Special characters:\u00a0<strong>! &#8211; _ # . ^ ~<\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Characters not allowed<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Any &#8220;@&#8221; character that&#8217;s not separating the username from the domain<\/li>\n<li>Can&#8217;t contain a period character &#8220;.&#8221; immediately preceding the &#8220;@&#8221; symbol<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Length constraints<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>The total length must not exceed 113 characters<\/li>\n<li>There can be up to 64 characters before the &#8220;@&#8221; symbol<\/li>\n<li>There can be up to 48 characters after the &#8220;@&#8221; symbol<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The following policies apply only to Azure AAD user accounts.<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\" colspan=\"2\"><span style=\"font-size: 14pt;\"><strong>UPN Policies that Apply Only to Azure Active Directory User Accounts in the Cloud<\/strong><\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\"><strong>Property<\/strong><\/td>\n<td style=\"text-align: left; vertical-align: top;\"><strong>UPN Requirements<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Characters allowed<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Uppercase characters: <strong>A-Z<\/strong><\/li>\n<li>Lowercase characters: <strong>a-z<\/strong><\/li>\n<li>Numbers: <strong>0-9<\/strong><\/li>\n<li>Special characters:\u00a0<strong>@ # $ % ^ &amp; * &#8211; _ ! + = [ ] { } | \\ : \u2018 , . ? \/ ` ~ \u201c ( ) ;<\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Characters not allowed<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Unicode characters<\/li>\n<li>Spaces<\/li>\n<li>Strong passwords only<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Password restrictions<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>A minimum of 8 characters and a maximum of 16 characters.<\/li>\n<li>Strong passwords only: Requires three out of four of the following:\n<ul>\n<li>Lowercase characters<\/li>\n<li>Uppercase characters\n<ul>\n<li>Numbers (0-9)<\/li>\n<\/ul>\n<\/li>\n<li>Symbols (see the previous password restrictions)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Password expiry duration<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Default value: <strong>90<\/strong> days<\/li>\n<li>The value is configurable by using the <strong>Set-MsolPasswordPolicy\u00a0<\/strong>cmdlet in AAD Module for Windows PowerShell<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Password expiry notification<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Default value: <strong>14<\/strong> days (before password expires)\n<ul>\n<li>The value is configurable by using the <strong>Set-MsolPasswordPolicy<\/strong> cmdlet in\u00a0AAD Module for Windows PowerShell<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Password expiry<\/td>\n<td style=\"text-align: left; vertical-align: top;\">\n<ul>\n<li>Default value: <strong>false<\/strong> days (indicates that password expiry is enabled)<\/li>\n<li>The value can be configured for individual user accounts by using the <strong>Set-MsolUser cmdlet<\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Password change history<\/td>\n<td style=\"text-align: left; vertical-align: top;\">The last password <em>can&#8217;t<\/em> be used again when the user changes a password<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Password reset history<\/td>\n<td style=\"text-align: left; vertical-align: top;\">The last password <em>can<\/em> be used again when the user resets a forgotten password<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left; vertical-align: top;\">Account lockout<\/td>\n<td style=\"text-align: left; vertical-align: top;\">After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>If you are a Global Administrator of your Office 365 tenancy, you can check the password policies quickly by using the <em>Azure Active Directory PowerShell<\/em> module. You can also use this module to manage your password expiration policy. Here&#8217;s how.<\/p>\n<h4><strong>Check Current Password Expiration Policy<\/strong><\/h4>\n<ol>\n<li>Download and install the AAD PowerShell module. Visit <a href=\"https:\/\/www.powershellgallery.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.powershellgallery.com\/<\/a>\u00a0and search for <strong>MSOnline PowerShell for\u00a0Azure Active Directory<\/strong>. The module requires .NET Framework 4.5 or above and you can install it on Windows Server 2008 SP1 and later servers or Windows 7.1 SP1 and later clients.\u00a0For detailed installation requirements and documentation visit\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/Azuread\/?view=azureadps-2.0\" target=\"_blank\" rel=\"noopener\">this page<\/a>.<\/li>\n<li>Sign in using your company&#8217;s administrator credentials.<\/li>\n<li>If you want to check the <em>password never expires<\/em> setting for ALL USERS, use the following command.<br \/>\n<span style=\"background-color: #f7f7c6;\">Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires<\/span><\/li>\n<li>To see whether a user&#8217;s password is configured to never expire, use the following command.<br \/>\n<span style=\"background-color: #f7f7c6;\">Get-MSOLUser -UserPrincipalName <strong>&lt;user ID&gt;<\/strong> | Select PasswordNeverExpires<\/span><br \/>\nFor example,\u00a0<span style=\"background-color: #f7f7c6;\">Get-MSOLUser -UserPrincipalName <strong>BillGates@Contoso.com<\/strong> | Select PasswordNeverExpires<\/span>.<\/li>\n<\/ol>\n<h4><strong>Set Azure AD Password Policy Using PowerShell<\/strong><\/h4>\n<ol>\n<li>Download and install the AAD PowerShell module. Visit <a href=\"https:\/\/www.powershellgallery.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.powershellgallery.com\/<\/a>\u00a0and search for <strong>MSOnline PowerShell for\u00a0Azure Active Directory<\/strong>. The module requires .NET Framework 4.5 or above and you can install it on Windows Server 2008 SP1 and later servers or Windows 7.1 SP1 and later clients.\u00a0For detailed installation requirements and documentation visit\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/Azuread\/?view=azureadps-2.0\" target=\"_blank\" rel=\"noopener\">this page<\/a>.<\/li>\n<li>Sign in using your company&#8217;s administrator credentials.<\/li>\n<li>To set the password expiration for <strong>ALL USERS<\/strong> in your Office 365 tenant, use the following command.<br \/>\n<span style=\"background-color: #f7f7c6;\">Get-MsolUser | Set-MsolUser -PasswordNeverExpires $false<\/span><br \/>\nThis will set the passwords for all users to expire after a period configured by the Global Administrator. The default value is 90 days. For security reasons, you should set the password for users to always expire. However, if for some reason you want to reverse the setting and set the password to never expire for ALL USERS then change the <em>$false<\/em> at the end of the line to <em>$true<\/em>, as follows.<br \/>\n<span style=\"background-color: #f7f7c6;\">Get-MsolUser | Set-MsolUser -PasswordNeverExpires $true<\/span><\/li>\n<li>To set the password expiration for\u00a0<strong>ONLY ONE USER<\/strong> in your Office 365 tenant, use the following command.<br \/>\n<span style=\"background-color: #f7f7c6;\">Set-MsolUser -UserPrincipalName <strong>&lt;user ID&gt;<\/strong> -PasswordNeverExpires $false<\/span><br \/>\nFor example,\u00a0<span style=\"background-color: #f7f7c6;\">Set-MsolUser -UserPrincipalName <strong>BillGates@Contoso.com<\/strong> -PasswordNeverExpires $false<\/span>.<br \/>\nThis will set Bill Gates&#8217; password to expire. If for some reason you want to reverse the setting and set the password to never expire then change the <em>$false<\/em> at the end of the line to <em>$true<\/em>, as follows.<br \/>\n<span style=\"background-color: #f7f7c6;\">Set-MsolUser -UserPrincipalName <strong>&lt;user ID&gt;<\/strong> -PasswordNeverExpires $true<br \/>\n<\/span>For example, <span style=\"background-color: #f7f7c6;\">Set-MsolUser -UserPrincipalName <strong>BillGates@Contoso.com<\/strong> -PasswordNeverExpires $true<\/span><\/li>\n<\/ol>\n<p>Be careful when you change your password policies, especially when you change them for all the users because it can have an impact on a lot of people.<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #e3e3e3; text-align: left;\">Thanks for reading my article. If you are interested in IT training &amp; consulting services, please reach out to me. Visit <a href=\"https:\/\/www.zubairalexander.com\/\" target=\"_blank\" rel=\"noopener\">ZubairAlexander.com<\/a> for information on my professional background.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><span style=\"font-size: xx-small; font-family: Verdana;\">Copyright \u00a9 2018 <a href=\"https:\/\/www.seattlepro.com\/\" target=\"_blank\" rel=\"noopener\">SeattlePro Enterprises, LLC<\/a>. All rights reserved.<br \/>\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Azure Active Directory (AAD) password policies affect the users in Office 365. If you are an AAD Administrator or an Office 365 Global Administrator, you will find the password policies configuration options documented in this article useful. If your organization allows users to reset their own passwords, then make sure you share this information [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":8601,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6,43,62,67,63,24],"tags":[],"class_list":["post-10220","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-articles","category-cloud-computing","category-microsoft-azure","category-office-365","category-security"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2017\/08\/Security2.jpg","_links":{"self":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/10220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/comments?post=10220"}],"version-history":[{"count":0,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/10220\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media\/8601"}],"wp:attachment":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media?parent=10220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/categories?post=10220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/tags?post=10220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}