Password recommendations

Copper Contributor

Hello DFI community !


I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following:

  1. Remove the attribute 'password never expires' from accounts in your domain
  2. Manage accounts with passwords more than 180 days old
  3. Do not expire passwords

Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive.


If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up.


How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ?


I'm a bit confused...What am i missing ?

Any help would be much appreciated.:stareyes:

2 Replies

@Chris_BYSA Microsoft recommends enabling the "do not expire password " settings in Office 365 and use the passwordless method through MFA to protect your identities login 


Please refer to the below for password policy recommendations 


Password policy recommendations - Microsoft 365 admin | Microsoft Learn

Thanks for your reply @eliekarkafy

Hum well we're not passwordless ready for the users yet.
And it wouldn't work for service accounts anyway. Would need maybe s/gMSA account types and/or Managed Identities.

Would this really solve all three recommendations and not make all the users fall into the reco #2 with 180+ day old passwords ?