cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Password policy changes for Cloud IDs

Ronald van Ackooij
Brass Contributor

‎Feb 15 2017 07:05 AM

‎Feb 15 2017 07:05 AM

Password policy changes for Cloud IDs

Hi Everyone,

 

I'm working on a Office 365 project at a customer that has very high standards on security. Now they are asking me if they can change the password policy for Cloud IDs? I know we can change the expiration stuff, etc. But this customer is perticarly interested in changing the Account Lockout settings. He would like it to be set to 3 attempts and then, full lockout, untill adminstrator unlocks the account.

 

These are my customers wishes, and I would like to know if it is even possible.

 

Thanks much.

 

Regards,

Ronald van Ackooij

Labels:
2,155 Views
1 Like
9 Replies
Reply
9 Replies
best response confirmed by Ronald van Ackooij (Brass Contributor)
Jamie Brandwood

‎Feb 15 2017 07:34 AM

‎Feb 15 2017 07:34 AM

Solution

Re: Password policy changes for Cloud IDs

Hi Ronald,

 

Unfortunatly not, as you rightly stated you can modiy the password expiration and expiration notification etc. (https://support.office.com/en-us/article/Set-your-password-expiration-policy-0F54736F-EB22-414C-8273...) but not the account lockout settings,

 

Password policies and restrictions in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

 

If you were to deploy Azure AD Connect w/ ADFS etc. then your password policy would match that of on-premises AD.

 

Hope that answers your question, although it may not help your customer.

 

Kind Regards,

 

Jamie Brandwood

3 Likes
Reply
Nuno Silva

‎Feb 15 2017 07:35 AM

‎Feb 15 2017 07:35 AM

Re: Password policy changes for Cloud IDs

Hi Ronald,

 

It's only possible if your Active Directory is the authority of the users, you have to setup a syncronization between your AD and Office 365 and set the policies in your Active Directory.

If your scenario now is cloud only authentication you can convert the users to your on-premises AD using the softmatch method using UPN for example.

 

You can see those features here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsyncservi...

2 Likes
Reply
Ronald van Ackooij

‎Feb 15 2017 08:49 AM

‎Feb 15 2017 08:49 AM

Re: Password policy changes for Cloud IDs

Hi Nuno,

 

I do think that for the Account Lockout, an Federated setup would be needed, meaning the authentication occurs on the On-Prem DCs via the ADFS environment. Because AD connect with password sync is not enough for the lockout settings to be applied.

 

Correct me if I'm wrong please ;).

Thanks much

0 Likes
Reply
Nuno Silva

‎Feb 15 2017 09:11 AM

‎Feb 15 2017 09:11 AM

Re: Password policy changes for Cloud IDs

Correct Ronald, but first you will need to setup AD Connect with soft match to then implement federation with ADFS. Is the best practice if you have to convert cloud only scenario to ADFS.

0 Likes
Reply
Dean Gross

‎Feb 15 2017 09:41 AM

‎Feb 15 2017 09:41 AM

Re: Password policy changes for Cloud IDs

Are these accounts synced from on-prem or actual cloud only accounts?

 

You may find this recent blog post helpful  https://blogs.technet.microsoft.com/tspring/2017/01/20/federated-to-microsoft-cloud-and-account-lock...

1 Like
Reply
Ronald van Ackooij

‎Feb 15 2017 09:58 AM

‎Feb 15 2017 09:58 AM

Re: Password policy changes for Cloud IDs

Understood, and thanks for your input, but that wasn't the question. For now the users are Cloud IDs and so there is no synchronization. This will be added in the future when they will setup a new AD environment on-prem. So the question was if we could change the password policy in the Cloud for "account lockou", and that is answer, with no.

Thanks much!

0 Likes
Reply
Muditha Chathuranga

‎Feb 15 2017 10:01 AM

‎Feb 15 2017 10:01 AM

Re: Password policy changes for Cloud IDs

As @Jamie mentioned, you would need to implement AD FS and manage account lockout policies from on-premises AD. When an administrator chooses Cloud Identity model, he doesn't have much control over the features other than for few stuff as password expiration, etc. :)
1 Like
Reply
Dean Gross

‎Feb 15 2017 10:16 AM

‎Feb 15 2017 10:16 AM

Re: Password policy changes for Cloud IDs

You can refer them to the documentation at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy#password-p....

 

For clients like this I would strongly recommend investing in the EM+S E5 plan that includes Cloud App Security licenses, https://www.microsoft.com/en-us/cloud-platform/cloud-app-security

 

1 Like
Reply
Scott Kemmeries

‎Aug 30 2017 04:42 PM

‎Aug 30 2017 04:42 PM

Re: Password policy changes for Cloud IDs

Has anything changed with this since Azure now has AD Domain Services in Resource Manager?   Environment is 100% cloud with no on-site servers, no domain controllers.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ronald van Ackooij (Brass Contributor)
Jamie Brandwood

‎Feb 15 2017 07:34 AM

‎Feb 15 2017 07:34 AM

Solution

Re: Password policy changes for Cloud IDs

Hi Ronald,

 

Unfortunatly not, as you rightly stated you can modiy the password expiration and expiration notification etc. (https://support.office.com/en-us/article/Set-your-password-expiration-policy-0F54736F-EB22-414C-8273...) but not the account lockout settings,

 

Password policies and restrictions in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

 

If you were to deploy Azure AD Connect w/ ADFS etc. then your password policy would match that of on-premises AD.

 

Hope that answers your question, although it may not help your customer.

 

Kind Regards,

 

Jamie Brandwood

View solution in original post

3 Likes
Reply