Forum Discussion
MicrosoftAnnouncement: Office 365 Secure Score Released to Public Preview
Another issue with Secure Score.
"You should require that all of your users reset their password at least every 60 days"
This is no longer current best practice where strong passphrases and 2FA are used since more rapid enforced change of passwords leads to the use of weaker ones.
Many thanks Brandon. I've been tracking these issues for some while but I've struggled to pin down actual evidence.
Having just revisited the issues that I'm having. I now have hard evidence from the get-msoluser and the combined audit log that something is very badly wrong. At least with our tenancy if not something wider.
Two definitive issues: One is that get-msoluser consistently reports some users with PasswordNeverExpires set to TRUE which should never happen.
The second is even more serious. I have found a user who is currently logged into the system but according to the Get-MsoUser data hasn't changed her password for 181 days (our tenant is set to require password change after 90d). Here is some relevant information:
BlockCredential : False
IsLicensed : True
LastPasswordChangeTimestamp : 2016-04-22 11:27:22
LicenseReconciliationNeeded : False
OverallProvisioningStatus : Success
PasswordNeverExpires : False
StrongPasswordRequired : True
StsRefreshTokensValidFrom : 2016-04-22 11:27:22
ValidationStatus : Healthy
WhenCreated : 2013-05-07 10:11:03
Checking the combined audit log I can see that it agrees that the user last changed their password on the 22nd April but they are still logging in. They should not have been able to log in after July 21st. However, the audit log has recorded 23 logins since then.
Previously, I'd been assuming that some data was missing from the audit logs but it appears that there may be a more serious issue.
No problem Dean.
I don't believe that it is isolated for us. It's just that this is the first time I've actually been able to prove it happening.