Blog Post

Microsoft Entra Blog
4 MIN READ

Azure AD Password Protection and Smart Lockout are now in Public Preview!

Alex Simons (AZURE)'s avatar
Alex Simons (AZURE)
Icon for Microsoft rankMicrosoft
Sep 07, 2018
First published on CloudBlogs on Jun, 19 2018 Howdy folks, Many of you know that unfortunately, all it takes is one weak password for a hacker to get access to your corpo...
Updated Jul 24, 2020
Version 9.0
Product Announcements
Alex Simons (AZURE)'s avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for workforce, customer, and workload identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions.
JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Feb 19, 2019

Hi JD,

 

This probably won't be a surprise to you, but setting password-never-expires is not a recommended security best practice.  If you deploy Azure AD Password Protection in your AD forest, it's probably ok to increase MaxPasswordAge by some factor - but not password-never-expires.

 

Going back to your main question:

 

>>So having differing policies that can be applied to a subset of users would be of benefit.

 

Setting password-never-expires seems orthogonal to deploying Azure AD Password Protection.  Regardless of whether or not a password will expire or not, it is still a good idea to try to make sure that that password is not easily guessable.

 

If the concern here is that those users who do NOT have password-never-expires may be "upset" by being forced to select stronger passwords, well I would say that for most customers this is considered a relatively minor cost that is easily accepted given the larger security benefits.  If those users are highly privileged such as Domain\Enterprise Admins, then this is even more true.

 

Jay