Flexible Security For Your Peace of Mind

How to enforce password complexity in O365?

(Last updated on October 16, 2019)

As organizations continue migrating data and services to the cloud, management and enforcement of strong password policies has never been more important.

When it comes to Office 365 cloud-only users (not synchronized with a corresponding to an Active Directory account) the configurable options are quite limited:

O365 Password Policy

Office 365 cloud-only users are subject to the hard-coded password policy built into Azure AD. Per Microsoft, the requirements are as follows:

Characters allowed• A – Z
• a - z
• 0 – 9
• @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
Characters not allowed• Unicode characters
• Spaces
• Cannot contain a dot character "." immediately preceding the "@" symbol”
Password restrictions• A minimum of 8 characters and a maximum of 256 characters. *this is a recent change; the former maximum was 16 characters
• Requires three out of four of the following:
- Lowercase characters
- Uppercase characters
- Numbers (0-9)
- Symbols
Password expiry durationDefault value: 90 days. Global setting affecting all users in the organization.
Password expiry notificationDefault value: 14 days (before password expires). Global setting affecting all users in the organization.
Password expiryAzure AD Supports disabling password expiry on a per-user bases or for the entire organization.
Password change historyThe last password can't be used again when the user changes a password.
Password reset historyThe last password can be used again when the user resets a forgotten password.

Microsoft has recently launched Azure AD Password Protection, which adds dictionary capabilities to passwords for customers with an Azure AD Premium subscription. There are two layers to the Microsoft solution:

  • Global Banned Password List – a Microsoft-provided list of “commonly used and compromised passwords.” Microsoft does not disclose any details about the contents of this list – there is, by design, no information on what sources Microsoft has used to compile the list, nor any details about its size.
  • Custom banned Password List – available with an Azure AD Premium P1 or P2 subscription, customers can block a custom list of words from appearing in user passwords.

Microsoft also has support for extending the Password Protection feature to your on-premise Active Directory. Key limitations there include:

  • As with all other Azure AD policies, it is a global setting (cannot target specific users/groups/OUs).
  • Users do not get any feedback as to why their on-premise password was rejected during Ctrl+Alt+Del password changes on their laptops.

In order to get better control over your Active Directory and Office 365 passwords, administrators should look to 3rd party solutions. These solutions will need to leverage the on-premises Active Directory along with synchronizing or federating Office 365 password authentication, as Microsoft also does not support 3rd party password solutions for cloud-only Office 365 users.

With such solutions, you can achieve extremely granular control over both the scope and requirements of your password policies for both on-prem AD and Office 365 authentication.

  • Was this Helpful ?
  • Yes   No

Tags: ,


Written by

Darren Siegel

Product Specialist, Specops Software

More Articles
Back to Blog

Related Articles

  • MFA vs. 2FA – why the difference matters for your O365 implementation

    When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. A dynamic MFA solution frees users from passwords, and secures the authentication process.

    Read More
  • Specops secures O365 password resets with MFA

    Stockholm, Sweden – November 14, 2018. Specops Software announced today a new release of Specops Authentication for Office 365 (O365). The release introduces self-service password reset functionality by using the common dynamic multi-factor authentication (MFA) engine. The release also introduces Efos for SITHs cards in Sweden, fail over capability, and new languages to the user interface…

    Read More
  • How to stop O365 phishing attacks

    O365 phishing attacks are are easy – just trick the recipient into giving up their password on a fake login page. Requiring users to authenticate with additional factors is the best way to stop the attack.

    Read More

© 2020 Specops Software. All rights reserved. Privacy and Data Policy