O365 Password Complexity

Copper Contributor

Hi everyone,

We running O365 exchange and I want to set password complexity to minimum 12. But I could not find any option in O365 Admin Portal and azure AD.

 

Thanks,

Nisar Khan

3 Replies

You cannot control this in O365, best you can do is configure the expiration window. If you want to be able to granularly control password policies, you need to redirect the auth process to your AD or external federation provider.

Yeah, this is weird. Any idea why it’s ”hard coded” to 8 characters minimum cloud-only? Seen a couple of UVs for the possibility to configure.
We would also like to see this added/restored.

If I remember correctly, there used to be a setting at tenant level in AAD that allowed changing the default minimum password length, but Microsoft removed it. We want to see this setting restored. We use a company managed password manager, along with MFA, so a longer password length would be a benefit (as we can monitor password strength).

We are using AAD only, with AAD joined devices managed by InTune MDM. Currently there is the option to set conditional access policy for password length at device level, but not the configuration. If we set the CA policy to 14 characters, then a user resets their password in a browser, which is governed by Microsoft's 365 setting of 8 characters, then the device gets marked as non-compliant and the user must reset their password again.

Microsoft's own recommendations in the security center recommend a minimum password length of 14 characters. The security center recommendation gives the remediation guidance of using a GPO, which we cannot do as we are AAD only.

Microsoft need to look at this urgently. It is a ridiculous situation for cloud only AAD joined and MDM device managed 365 users.