Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Removal of the 16-character limit for passwords in Azure AD
Published May 14 2019 12:00 PM 44.2K Views

Howdy folks, 

 

Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD. While our on-premises Windows AD allows longer passwords and passphrases, we previously didn’t have support for this for cloud user accounts in Azure AD.  

 

Today, I am pleased to announce that we have changed this limit, allowing you to set a password with up to 256 characters, including spaces. You can see more details on password requirements in our password policy documentation. 

 

 

New_User_PW_Trimmed.JPG

If you have questions or comments, please feel free to reach out to us on Azure AD UserVoice. 

 

Best regards, 

 

Alex Simons (Twitter: @Alex_A_Simons)

Vice President of Program Management

Microsoft Identity Division

19 Comments
Copper Contributor
https://account.activedirectory.windowsazure.com/ChangePassword.aspx still has validators limiting the password to 16 characters, will this page be fixed as well?
Microsoft

@sivey42  yes we are in the process of fixing that page as well. 

Brass Contributor
Great news!
Copper Contributor

Thank you to you and your team for taking this feedback seriously. 

 

Excellent response, bravo! 

Brass Contributor

Why are you still requiring symbols and numbers?  Isn't length THE determining factor on how difficult it is to crack a password?  Requiring symbols and numbers (and all that upper/lower jazz) seems old skool at best.

Copper Contributor

Awesome to see improvement, but are we also gaining the ability to set minimum length?  It is common knowledge that a 8 character password is not a good idea.  And it goes against many organizations password policies making the selfservice tool almost useless unless you want to throw your policy out the window.  Additionally the ability to control complexity requirements is a must.  MS has been a pushing some of the newer nist standards on passwords but azure goes against the standard.  

Microsoft

@Mike-E we have heard the feedback for removing the password character complexity requirement, there are multiple moving parts to this work but it is on the radar. 

Microsoft

@Reedtechno thanks for the comment, we are investigating the ability to set custom password lengths but we do not have an ETA for this feature at this time. 

Copper Contributor

When we try office365 (email) password information says maximum 16.

Steel Contributor

..

Today, I am pleased to announce that we have changed this limit, allowing you to set a password with up to 256 characters, including spaces. You can see more details on password requirements in our password policy documentation. 

..

Although the maximum length has been updated in the password policy documentation, it still says that "spaces" are not allowed.

 

Is it or is it not?

 

Characters not allowed
  • Unicode characters.
  • Spaces.
  • Cannot contain a dot character "." immediately preceding the "@" symbol”.

 

 

Microsoft

@Abhimanyu Singh yes "Spaces" are allowed for passwords. We are updating the doc to reflect this typo, thanks for catching it! 

Steel Contributor

Great @Eliza Kuzmenko :) That was fast! The doc has been updated.

Copper Contributor

One thing to note, in the testing we've recently done related to having spaces in passwords, it seemed to work fine in all Microsoft and O365 platforms but one - Skype for Business Online.  Each time we tested an account which included a space in the password, the Skype client would fail to sign into SfBO and would eventually lock the account.  Can you confirm whether or not this is expected behavior, or a known limitation with Skype for Business Online.

 

We no longer have our on-prem Skype environment so I've been unable to test that platform.  But the Online (O365) platform was problematic during our testing.

Microsoft

@Junior049 thanks for bringing this up, this should work seamless across O365 after sign-on including Skype. If you ping me the details to elkuzmen[at]microsoft.com I will connect with you and get the right folks involved to investigate. 

Copper Contributor

Is there anyway to set authentication Phone or email for the user without populating their standard mobile or alternate email fields?  The resources here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata provide directions on setting MobilePhone and AlternateEmailAddresses but I do not want to populate our users personal information into the Global address book.  I just want to populate it for auth purposes.

Copper Contributor

Thats a great news..!!

Copper Contributor

The 16-character limit for passwords still aplies to guest accounts. And I can't enforce MFA on guest accounts.

Or did I miss some setting?

Copper Contributor

@Jeroen020 You should be able to do so with a Conditional Access policy.

Copper Contributor

Today (2019-12-01) I set up a guest user. During the login/setup, I'm told my 17 character password (upper, lower, numbers, "special", no spaces) is too long:

SNAG-20191201-163259-0003.png

Why isn't this automatically updated as per the article's implication? Do I need to manually change some policies in my Azure AD? (I'm completely new to this admin stuff, so please forgive me if the question is basic.)

Version history
Last update:
‎Aug 03 2020 01:50 PM
Updated by: