Hello,We have 10 small business premium licenses and wish to setup the following password complexity requirements but it isn't obvious where I set this in the Office 365 admin portal. be a minimum of 10 characters in length.contain both capital and lower case letter.contain numbers or other special characters.Not allowed to reuse historic passwordsEnforce password change every 6 months, with a 30 day nag countdown popup to change password This is just a cloud account, there is no AD Sync with any of our offices servers. Is this possible as it is with regular Small Business Premium licenses? Where and how would I set the following for ALL users/system wide on Office 365?Thank you.Rob

ChrisHoardMVP It is awesome that Microsoft shuts down User Voice after pushing everyone to use that for feedback on features and behaviors that are lacking in the product. It was bad enough that many important behaviors were not included, and often took years through the User Voice channel. Now it seems they just don't want to hear it and there is no viable avenue to get these features or behaviors improved in M365.

NetzenRob If I remember correctly, there used to be a setting at tenant level in AAD that allowed changing the default minimum password length, but Microsoft removed it. We want to see this setting restored. We use a company managed password manager, along with MFA, so a longer password length would be a benefit (as we can monitor password strength). We are using AAD only, with AAD joined devices managed by InTune MDM. Currently there is the option to set conditional access policy for password length at device level, but not the configuration. If we set the CA policy to 14 characters, then a user resets their password in a browser, which is governed by Microsoft's 365 setting of 8 characters, then the device gets marked as non-compliant and the user must reset their password again. Microsoft's own recommendations in the security center recommend a minimum password length of 14 characters. The security center recommendation gives the remediation guidance of using a GPO, which we cannot do as we are AAD only. Microsoft need to look at this urgently. It is a ridiculous situation for cloud only AAD joined and MDM device managed 365 users.

So it looks like by default it has Strong password enabled, but it only enforces 8 characters, we simply want to change it to 10-16, how best to do that? Thanks again, Rob

This is a common ask, but Microsoft hasn't communicated any plans to change it. The usual recommendation is to redirect the auth process on-premises by either AD FS or PTA so that the on-premises policies are honored.

O365 password complexity | Microsoft Community Hub

19 Replies

Eliot_Cole
Iron Contributor
Sep 02, 2024
What is most frustrating here is that there appears to be zero *Microsoft* documentation of their official 'strong' password policy.

So we all have to go by heresay ... even if it is an IBM document:
https://www.ibm.com/docs/en/spfc?topic=appendices-password-limitations-requirements-microsoft-365-accounts
a_n_7goo
Copper Contributor
May 20, 2022
NetzenRob
If I remember correctly, there used to be a setting at tenant level in AAD that allowed changing the default minimum password length, but Microsoft removed it. We want to see this setting restored. We use a company managed password manager, along with MFA, so a longer password length would be a benefit (as we can monitor password strength).

We are using AAD only, with AAD joined devices managed by InTune MDM. Currently there is the option to set conditional access policy for password length at device level, but not the configuration. If we set the CA policy to 14 characters, then a user resets their password in a browser, which is governed by Microsoft's 365 setting of 8 characters, then the device gets marked as non-compliant and the user must reset their password again.

Microsoft's own recommendations in the security center recommend a minimum password length of 14 characters. The security center recommendation gives the remediation guidance of using a GPO, which we cannot do as we are AAD only.

Microsoft need to look at this urgently. It is a ridiculous situation for cloud only AAD joined and MDM device managed 365 users.
- SebCerazy
  Iron Contributor
  Apr 19, 2024
  2 years later, NO change
Doug_Matsuoka808
Copper Contributor
Apr 25, 2022
NetzenRob The passwords that O365 auto-creates are 8 characters, upper AND lower case, numerals, no symbols.
- DegreeSix
  Copper Contributor
  May 10, 2022
  Doug_Matsuoka808 the issue we have is that to meet some Government requirements for government contractors they need to meet a minimum requirement of more than 8 characters. So there are times when it's important to set it higher than 8 characters.
  As it stands we have it as a company policy but there is no technical way to enforce it on M365.
adam deltinger
MVP
Jan 25, 2019
Please see here:

https://docs.microsoft.com/en-us/office365/admin/misc/password-policy-recommendations?view=o365-worldwide

Adam
- NetzenRob
  Copper Contributor
  Jan 25, 2019
  So it looks like by default it has Strong password enabled, but it only enforces 8 characters, we simply want to change it to 10-16, how best to do that?
  
  Thanks again,
  
  Rob
  - adam deltinger
    MVP
    Jan 25, 2019
    Check the first link about azure B2b in the link!
    I’m not sure about this one though! It seems to be in preview and don’t know about license requirements etc! Try it out
    
    Adam
- NetzenRob
  Copper Contributor
  Jan 25, 2019
  Thanks Adam.
  
  Ok - I see the expiration option now thank you.
  
  But im a little stuck on complexity. Is there a webpage in O365 or Azure backend to set these options?
  
  Also is there a way to enforce a password change across all users, so they must change passwords on next login to office.com ? This would be useful once I set the complexity.

Forum Discussion

O365 password complexity

19 Replies

Resources