Forum Discussion

Ronald van Ackooij's avatar
Ronald van Ackooij
Brass Contributor
Feb 15, 2017
Solved

Password policy changes for Cloud IDs

Hi Everyone,   I'm working on a Office 365 project at a customer that has very high standards on security. Now they are asking me if they can change the password policy for Cloud IDs? I know we can...
office 365
security
  • Jamie Brandwood's avatar
    Jamie Brandwood
    Feb 15, 2017

    Hi Ronald,

     

    Unfortunatly not, as you rightly stated you can modiy the password expiration and expiration notification etc. (https://support.office.com/en-us/article/Set-your-password-expiration-policy-0F54736F-EB22-414C-8273-498A0918678F?ui=en-US&rs=en-US&ad=US) but not the account lockout settings,

     

    Password policies and restrictions in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

     

    If you were to deploy Azure AD Connect w/ ADFS etc. then your password policy would match that of on-premises AD.

     

    Hope that answers your question, although it may not help your customer.

     

    Kind Regards,

     

    Jamie Brandwood

NunoAriasSilva's avatar
NunoAriasSilva
MVP
Feb 15, 2017

Hi Ronald,

 

It's only possible if your Active Directory is the authority of the users, you have to setup a syncronization between your AD and Office 365 and set the policies in your Active Directory.

If your scenario now is cloud only authentication you can convert the users to your on-premises AD using the softmatch method using UPN for example.

 

You can see those features here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsyncservice-features

  • Ronald van Ackooij's avatar
    Ronald van Ackooij
    Brass Contributor
    Feb 15, 2017

    Hi Nuno,

     

    I do think that for the Account Lockout, an Federated setup would be needed, meaning the authentication occurs on the On-Prem DCs via the ADFS environment. Because AD connect with password sync is not enough for the lockout settings to be applied.

     

    Correct me if I'm wrong please ;).

    Thanks much

    • NunoAriasSilva's avatar
      NunoAriasSilva
      MVP
      Feb 15, 2017

      Correct Ronald, but first you will need to setup AD Connect with soft match to then implement federation with ADFS. Is the best practice if you have to convert cloud only scenario to ADFS.

      • Ronald van Ackooij's avatar
        Ronald van Ackooij
        Brass Contributor
        Feb 15, 2017

        Understood, and thanks for your input, but that wasn't the question. For now the users are Cloud IDs and so there is no synchronization. This will be added in the future when they will setup a new AD environment on-prem. So the question was if we could change the password policy in the Cloud for "account lockou", and that is answer, with no.

        Thanks much!

Resources