Our organisation fully transitioned to Azure AD sign-in and Intune management a while back, decommissioning local servers and AD in 2021. We don't use any local device accounts (we run as standard users then have AAD Device Administrator users to install software, apply third-party updates, etc.).
In the Microsoft 365 Defender portal recommendations, we see items such as:
- Set 'Enforce password history' to '24 or more password(s)'
- Set 'Minimum password length' to '14 or more characters'
- etc.
Given that this type of policy is applied with Azure AD itself, can we safely ignore these recommendations (create an 'Alternate mitigation' exception), or is there guidance on how we should be setting these configurations so as not to conflict with Azure AD?
