Password policy in Azure AD (Office 365)

Password policy in Azure AD (Office 365)

Applies To: Azure, Office 365, Windows Intune

This topic describes the various password policies and complexity requirements associated with the user accounts stored in your Azure AD tenant.

Every user account that needs to sign in to the Azure AD authentication system must have a unique user principal name (UPN) attribute value associated with that account. The following table outlines the polices that apply to both on-premises Active Directory-sourced user accounts (synced to the cloud) and to cloud-only user accounts.

 

Property

UserPrincipalName requirements

Characters allowed

  • A – Z
  • a – z
  • 0 – 9
  • . - _ ! # ^ ~

Characters disallowed

  • @
  • Cannot contain a dot character '.' immediately preceding the '@' symbol

Length constraints

  • Total length must not exceed 113 characters

    • Total length must not exceed 113 characters
    • 64 characters before the ‘@’ symbol
    • 48 characters after the ‘@’ symbol

The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

 

Property
Standard strength passwords
Strong passwords

Characters allowed

  • A – Z
  • a – z
  • 0 – 9
  • @ # $ % ^ & * - _  + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;

Characters disallowed

  • Unicode characters 
  • spaces
  • Unicode characters 
  • spaces
  • Cannot contain a dot character '.' immediately preceding the '@' symbol

Password restrictions

  • 8 characters minimum and 16 characters maximum
  • 8 characters minimum and 16 characters maximum
  • Requires 3 out of 4 of the following:

    • Lowercase characters
    • Uppercase characters 
    • Numbers (0-9)
    • Symbols (see password restrictions above)

Password expiry duration

Default value: 90 days

Value is configurable using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.

Password expiry notification

Default value: 14 days (before password expires)

Value is configurable using the Set-MsolPasswordPolicy cmdlet.

Password Expiry

Default value: false days (indicates that password expiry is enabled)

Value can be configured for individual user accounts using the Set-MsolUser cmdlet. See Set a password to never expire for instructions.

Password history

Last password cannot be used again.

Password history duration

Forever

Account Lockout

After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period. Further incorrect passwords will result in an exponential increase in the lockout time period.


    • Related Articles

    • Choosing an easy-to-remember strong password

      Introduction The challenge we all face is that cyber attackers have developed sophisticated methods to guess or brute force passwords, and they are constantly getting better at it. This means they can compromise your passwords if they are weak or ...

    • O365 MFA Setup

      You may watch this video to set up the mfa: https://www.youtube.com/watch?v=Q8OzabuNwHI Alternatively, you may read the guide below.       a. Login into Office 365 as per normal over here or https://login.microsoftonline.com       b. After typing ...

    • Shared mailboxes in the Outlook mobile app

      You have to add it as IMAP account, and use the Advanced Settings:   Name : whatever you want E-mail:  sharedmailbox@domain.com   IMAP: Host:  outlook.office365.com Username:  your_primary_login@domain.com\sharedmailbox Password:  your pass   SMTP ...

    • Change Verification for MFA Method

      1. Log in to outlook via this link https://login.microsoftonline.com 2. After typing your password, the following screen would be displayed. 3. Once verified, you will be brought to this page. Next, click on the top right hand icon. 4. Click on "My ...

    • What to do if you are changing mobile device or did an app deletion by accident

      1. Log in to outlook via this link https://login.microsoftonline.com 2. After typing your password, the following screen would be displayed. 3. Once verified, you will be brought to this page. Next, click on the top right hand icon. 4. Click on "My ...