Feb 15 2017 07:05 AM
Hi Everyone,
I'm working on a Office 365 project at a customer that has very high standards on security. Now they are asking me if they can change the password policy for Cloud IDs? I know we can change the expiration stuff, etc. But this customer is perticarly interested in changing the Account Lockout settings. He would like it to be set to 3 attempts and then, full lockout, untill adminstrator unlocks the account.
These are my customers wishes, and I would like to know if it is even possible.
Thanks much.
Regards,
Ronald van Ackooij
Feb 15 2017 07:34 AM
SolutionHi Ronald,
Unfortunatly not, as you rightly stated you can modiy the password expiration and expiration notification etc. (https://support.office.com/en-us/article/Set-your-password-expiration-policy-0F54736F-EB22-414C-8273...) but not the account lockout settings,
Password policies and restrictions in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy
If you were to deploy Azure AD Connect w/ ADFS etc. then your password policy would match that of on-premises AD.
Hope that answers your question, although it may not help your customer.
Kind Regards,
Jamie Brandwood
Feb 15 2017 07:35 AM
Hi Ronald,
It's only possible if your Active Directory is the authority of the users, you have to setup a syncronization between your AD and Office 365 and set the policies in your Active Directory.
If your scenario now is cloud only authentication you can convert the users to your on-premises AD using the softmatch method using UPN for example.
You can see those features here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsyncservi...
Feb 15 2017 08:49 AM
Hi Nuno,
I do think that for the Account Lockout, an Federated setup would be needed, meaning the authentication occurs on the On-Prem DCs via the ADFS environment. Because AD connect with password sync is not enough for the lockout settings to be applied.
Correct me if I'm wrong please ;).
Thanks much
Feb 15 2017 09:11 AM
Correct Ronald, but first you will need to setup AD Connect with soft match to then implement federation with ADFS. Is the best practice if you have to convert cloud only scenario to ADFS.
Feb 15 2017 09:41 AM
Are these accounts synced from on-prem or actual cloud only accounts?
You may find this recent blog post helpful https://blogs.technet.microsoft.com/tspring/2017/01/20/federated-to-microsoft-cloud-and-account-lock...
Feb 15 2017 09:58 AM
Understood, and thanks for your input, but that wasn't the question. For now the users are Cloud IDs and so there is no synchronization. This will be added in the future when they will setup a new AD environment on-prem. So the question was if we could change the password policy in the Cloud for "account lockou", and that is answer, with no.
Thanks much!
Feb 15 2017 10:01 AM
Feb 15 2017 10:16 AM
You can refer them to the documentation at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy#password-p....
For clients like this I would strongly recommend investing in the EM+S E5 plan that includes Cloud App Security licenses, https://www.microsoft.com/en-us/cloud-platform/cloud-app-security
Aug 30 2017 04:42 PM
Has anything changed with this since Azure now has AD Domain Services in Resource Manager? Environment is 100% cloud with no on-site servers, no domain controllers.
Feb 15 2017 07:34 AM
SolutionHi Ronald,
Unfortunatly not, as you rightly stated you can modiy the password expiration and expiration notification etc. (https://support.office.com/en-us/article/Set-your-password-expiration-policy-0F54736F-EB22-414C-8273...) but not the account lockout settings,
Password policies and restrictions in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy
If you were to deploy Azure AD Connect w/ ADFS etc. then your password policy would match that of on-premises AD.
Hope that answers your question, although it may not help your customer.
Kind Regards,
Jamie Brandwood