O365 password complexity

%3CLINGO-SUB%20id%3D%22lingo-sub-325477%22%20slang%3D%22en-US%22%3EO365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325477%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%20have%2010%20small%20business%20premium%20licenses%20and%20wish%20to%20setup%20the%20following%20password%20complexity%20requirements%20but%20it%20isn't%20obvious%20where%20I%20set%20this%20in%20the%20Office%20365%20admin%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CUL%3E%3CLI%3Ebe%20a%20minimum%20of%2010%20characters%20in%20length.%3C%2FLI%3E%3CLI%3Econtain%20both%20capital%20and%20lower%20case%20letter.%3C%2FLI%3E%3CLI%3Econtain%20numbers%20or%20other%20special%20characters.%3C%2FLI%3E%3CLI%3ENot%20allowed%20to%20reuse%20historic%20passwords%3C%2FLI%3E%3CLI%3EEnforce%20password%20change%20every%206%20months%2C%20with%20a%2030%20day%20nag%20countdown%20popup%20to%20change%20password%3C%2FLI%3E%3C%2FUL%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20just%20a%20cloud%20account%2C%20there%20is%20no%20AD%20Sync%20with%20any%20of%20our%20offices%20servers.%20Is%20this%20possible%20as%20it%20is%20with%20regular%20Small%20Business%20Premium%20licenses%3F%20Where%20and%20how%20would%20I%20set%20the%20following%20for%20ALL%20users%2Fsystem%20wide%20on%20Office%20365%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThank%20you.%3C%2FP%3E%3CP%3ERob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-325477%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325973%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325973%22%20slang%3D%22en-US%22%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271877%22%20target%3D%22_blank%22%3E%40NetzenRob%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20it%20should.%20If%20MFA%20or%20Azure%20AD%20Connect%20via%20Local%20AD%20(As%20Vasil%20suggested)%20is%20not%20an%20option%20then%20the%20only%20possible%20course%20of%20action%20will%20be%20to%20add%20your%20name%20to%20the%20uservoice%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F17888683-allow-alteration-to-the-global-azure-ad-password-p%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F17888683-allow-alteration-to-the-global-azure-ad-password-p%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EUnfortunately%2C%20this%20has%20been%20asked%20for%20a%20very%20long%20time%20and%20its%20unlikely%20that%20they%20will%20change%20the%20default%20Azure%20AD%20Password%20Policy%20any%20time%20soon.%20Wish%20I%20could%20help%20more.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325924%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325924%22%20slang%3D%22en-US%22%3EThanks%20guys%20but%20we%20really%20just%20want%20to%20alter%20the%20minimum%20password%20length%20in%20o365%20at%20the%20moment%20to%2010chrs.%3CBR%20%2F%3EShould%20be%20easy%20but%20isn%E2%80%99t.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3ERob%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325894%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325894%22%20slang%3D%22en-US%22%3EYea%20-%20FIDO%202%20Security%20Key%20with%20Windows%20Hello%20on%20Azure%20AD%20Joined%20machines.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325893%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325893%22%20slang%3D%22en-US%22%3EVery%20good%20point%20Chris!!%20No%20password%20will%20ever%20be%20better%20than%20having%20MFA%20%2C%20no%20matter%20policy%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325883%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325883%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271877%22%20target%3D%22_blank%22%3E%40NetzenRob%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAgree%20with%20everyone%20here%20that%20there%20is%20some%20limitations%20on%20the%20passwords.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20want%20to%20up%20the%20strength%20of%20the%20front%20door%2C%20as%20100%25%20cloud%20users%20you%20should%20be%20able%20to%20enforce%20Multi-Factor%20Authentication%20(MFA)%20and%20then%20combined%20with%20the%20Microsoft%20Authenticator%20app%20this%20will%20give%20you%20much%20stronger%20protection%20even%20with%20'weak'%2016%20character%20passwords.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20a%20recommendation.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325866%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325866%22%20slang%3D%22en-US%22%3E%40vasil%20%2C%20do%20you%20know%20more%20about%20the%20azure%20policies%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325858%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325858%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20but%20there%20are%20for%20sure%20millions%20of%20customers%20who%20don't%20have%20on-prem%20servers%20and%20just%20use%20O365.%3C%2FP%3E%3CP%3EHopefully%20they%20make%20the%20system%20more%20comprehensive%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325852%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325852%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20common%20ask%2C%20but%20Microsoft%20hasn't%20communicated%20any%20plans%20to%20change%20it.%20The%20usual%20recommendation%20is%20to%20redirect%20the%20auth%20process%20on-premises%20by%20either%20AD%20FS%20or%20PTA%20so%20that%20the%20on-premises%20policies%20are%20honored.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325510%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325510%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20just%20tried%20to%20go%20over%20this%20and%20it%20seems%20incredibly%20long%20winded%2C%20why%20on%20earth%20do%20Microsoft%20make%20it%20so%20complicated%20to%20adjust%20password%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20the%20documentation%20did%20not%20work%2Fthe%20steps%20were%20broken%2C%20and%20I%20don't%20really%20understand%20the%20whole%20B2C%20concept%20or%20what%20it%20is%20exactly.%20This%20should%20be%20much%20simpler%20and%20built%20into%20t%20he%20Exchange%20admin%20area%20along%20with%20the%20password%20expiration%20options.%20I%20really%20don't%20understand%20the%20thought%20process%20behind%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20anyway%2C%20we%20will%20just%20stick%20with%20the%208-16%20(16%20is%20also%20an%20incredibly%20short%20limit%3F%3F)%20they%20claim%20as%20'strong'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ERob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325502%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325502%22%20slang%3D%22en-US%22%3ECheck%20the%20first%20link%20about%20azure%20B2b%20in%20the%20link!%3CBR%20%2F%3EI%E2%80%99m%20not%20sure%20about%20this%20one%20though!%20It%20seems%20to%20be%20in%20preview%20and%20don%E2%80%99t%20know%20about%20license%20requirements%20etc!%20Try%20it%20out%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325500%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325500%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20it%20looks%20like%20by%20default%20it%20has%20Strong%20password%20enabled%2C%20but%20it%20only%20enforces%208%20characters%2C%20we%20simply%20want%20to%20change%20it%20to%2010-16%2C%20how%20best%20to%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325493%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325493%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Adam.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EOk%20-%20I%20see%20the%20expiration%20option%20now%20thank%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20im%20a%20little%20stuck%20on%20complexity.%20Is%20there%20a%20webpage%20in%20O365%20or%20Azure%20backend%20to%20set%20these%20options%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20is%20there%20a%20way%20to%20enforce%20a%20password%20change%20across%20all%20users%2C%20so%20they%20must%20change%20passwords%20on%20next%20login%20to%20office.com%20%3F%20This%20would%20be%20useful%20once%20I%20set%20the%20complexity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325488%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20password%20complexity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325488%22%20slang%3D%22en-US%22%3EPlease%20see%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fadmin%2Fmisc%2Fpassword-policy-recommendations%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fadmin%2Fmisc%2Fpassword-policy-recommendations%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,


We have 10 small business premium licenses and wish to setup the following password complexity requirements but it isn't obvious where I set this in the Office 365 admin portal.

 

    • be a minimum of 10 characters in length.
    • contain both capital and lower case letter.
    • contain numbers or other special characters.
    • Not allowed to reuse historic passwords
    • Enforce password change every 6 months, with a 30 day nag countdown popup to change password

 

This is just a cloud account, there is no AD Sync with any of our offices servers. Is this possible as it is with regular Small Business Premium licenses? Where and how would I set the following for ALL users/system wide on Office 365?


Thank you.

Rob

13 Replies
Highlighted

Thanks Adam.


Ok - I see the expiration option now thank you.

 

But im a little stuck on complexity. Is there a webpage in O365 or Azure backend to set these options?

 

Also is there a way to enforce a password change across all users, so they must change passwords on next login to office.com ? This would be useful once I set the complexity.

Highlighted

So it looks like by default it has Strong password enabled, but it only enforces 8 characters, we simply want to change it to 10-16, how best to do that?

 

Thanks again,

 

Rob

Highlighted
Check the first link about azure B2b in the link!
I’m not sure about this one though! It seems to be in preview and don’t know about license requirements etc! Try it out

Adam
Highlighted

I've just tried to go over this and it seems incredibly long winded, why on earth do Microsoft make it so complicated to adjust password policies?

 

Unfortunately the documentation did not work/the steps were broken, and I don't really understand the whole B2C concept or what it is exactly. This should be much simpler and built into t he Exchange admin area along with the password expiration options. I really don't understand the thought process behind this.

 

Thanks anyway, we will just stick with the 8-16 (16 is also an incredibly short limit??) they claim as 'strong'.

 

Thanks

Rob

Highlighted

This is a common ask, but Microsoft hasn't communicated any plans to change it. The usual recommendation is to redirect the auth process on-premises by either AD FS or PTA so that the on-premises policies are honored.

Highlighted

Yup, but there are for sure millions of customers who don't have on-prem servers and just use O365.

Hopefully they make the system more comprehensive soon.

Highlighted
@vasil , do you know more about the azure policies?
Highlighted
Hi @NetzenRob,

Agree with everyone here that there is some limitations on the passwords.

If you want to up the strength of the front door, as 100% cloud users you should be able to enforce Multi-Factor Authentication (MFA) and then combined with the Microsoft Authenticator app this will give you much stronger protection even with 'weak' 16 character passwords.

Just a recommendation.

Best, Chris
Highlighted
Very good point Chris!! No password will ever be better than having MFA , no matter policy
Highlighted
Yea - FIDO 2 Security Key with Windows Hello on Azure AD Joined machines.
Highlighted
Thanks guys but we really just want to alter the minimum password length in o365 at the moment to 10chrs.
Should be easy but isn’t.

Thanks
Rob
Highlighted
Thanks @NetzenRob

Yes, it should. If MFA or Azure AD Connect via Local AD (As Vasil suggested) is not an option then the only possible course of action will be to add your name to the uservoice here

https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/17888683-al...

Unfortunately, this has been asked for a very long time and its unlikely that they will change the default Azure AD Password Policy any time soon. Wish I could help more.

Hope that answers your question.

Best, Chris