How to enforce password complexity in O365?

As organizations continue migrating data and services to the cloud, management and enforcement of strong password policies has never been more important.

When it comes to Office 365 cloud-only users (not synchronized with a corresponding to an Active Directory account) the configurable options are quite limited:

O365 Password Policy

Office 365 cloud-only users are subject to the hard-coded password policy built into Azure AD. Per Microsoft, the requirements are as follows:

Characters allowed• A – Z
• a - z
• 0 – 9
• @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
Characters not allowed • Unicode characters
• Spaces
• Cannot contain a dot character "." immediately preceding the "@" symbol”
Password restrictions• A minimum of 8 characters and a maximum of 256 characters. *this is a recent change; the former maximum was 16 characters
• Requires three out of four of the following:
- Lowercase characters
- Uppercase characters
- Numbers (0-9)
- Symbols
Password expiry durationDefault value: 90 days. Global setting affecting all users in the organization.
Password expiry notificationDefault value: 14 days (before password expires). Global setting affecting all users in the organization.
Password expiryAzure AD Supports disabling password expiry on a per-user bases or for the entire organization.
Password change historyThe last password can't be used again when the user changes a password.
Password reset historyThe last password can be used again when the user resets a forgotten password.

Microsoft has recently launched Azure AD Password Protection, which adds dictionary capabilities to passwords for customers with an Azure AD Premium subscription. There are two layers to the Microsoft solution:

  • Global Banned Password List – a Microsoft-provided list of “commonly used and compromised passwords.” Microsoft does not disclose any details about the contents of this list – there is, by design, no information on what sources Microsoft has used to compile the list, nor any details about its size.
  • Custom banned Password List – available with an Azure AD Premium P1 or P2 subscription, customers can block a custom list of words from appearing in user passwords.

Microsoft also has support for extending the Password Protection feature to your on-premise Active Directory. Key limitations there include:

  • As with all other Azure AD policies, it is a global setting (cannot target specific users/groups/OUs).
  • Users do not get any feedback as to why their on-premise password was rejected during Ctrl+Alt+Del password changes on their laptops.

In order to get better control over your Active Directory and Office 365 passwords, administrators should look to 3rd party solutions. These solutions will need to leverage the on-premises Active Directory along with synchronizing or federating Office 365 password authentication, as Microsoft also does not support 3rd party password solutions for cloud-only Office 365 users.

With such solutions, you can achieve extremely granular control over both the scope and requirements of your password policies for both on-prem AD and Office 365 authentication.

(Last updated on April 4, 2022)

Tags: ,

darren siegel

Written by

Darren Siegel

Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management.

Back to Blog

Related Articles

  • Password Policies and Guidelines

    Using a password policy is an important part in enhancing your organization’s password security. Cyberattacks continue to explode around the world with a variety of techniques to compromise corporate passwords. To defend against these attacks, organizations employ password policies to enforce secure passwords and use them to protect enterprise data. What is a password policy?…

    Read More
  • MFA vs. 2FA – why the difference matters for your O365 implementation

    When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. A dynamic MFA solution frees users from passwords, and secures the authentication process.

    Read More
  • Specops secures O365 password resets with MFA

    Stockholm, Sweden – November 14, 2018. Specops Software announced today a new release of Specops Authentication for Office 365 (O365). The release introduces self-service password reset functionality by using the common dynamic multi-factor authentication (MFA) engine. The release also introduces Efos for SITHs cards in Sweden, fail over capability, and new languages to the user interface…

    Read More