Office 365 Password Policy

Updated on 1 July 2015

The password policy in Office 365 (O365) is a little more strict than that of an on premise environment as certain characters that are available in Active Directory may not be recognized in O365 (e.g. CTRL characters). To see what is allowable in O365, as well as other password settings, refer to the chart below.

One of the things that I appreciate, is that we are not tied to a strict password expiration rule. That means we can set the password to never expire, however, that task cannot be performed from the portal. Check the references at the end of the article on how to perform that task.

By default, the password expiration is 90 days. However, we can set our password expiration to a maximum of 730 days. This practice is not recommended, as it is a potential security risk to you and your company’s data.

If you are using directory synchronization with password sync, I recommend your Active Directory group policy for passwords should be set to something similar to what is required for O365. At a minimum, the values for ‘Minimum password length’ and ‘Maximum password age’ and ‘Password must meet complexity requirements’ should be configured. I recommend setting the minimum password length to “8 characters” (instead of 7, default in Default Domain Policy), complexity requirement to “Enabled”, and the maximum password age to at least one day less than what we set the password expiration in O365.

Property Standard strength passwords Strong passwords
Characters allowed
  • A – Z
  • a – z
  • 0 – 9
  • @ # $ % ^ & * – _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ;
Characters disallowed
  • Unicode characters
  • spaces
  • Unicode characters
  • spaces
  • Cannot contain a dot character ‘.’ immediately preceding the ‘@’ symbol
Password restrictions
  • 8 characters minimum and 16 characters maximum
  • 8 characters minimum and 16 characters maximum
  • Requires 3 out of 4 of the following:
    • Lowercase characters
    • Uppercase characters
    • Numbers (0-9)
    • Symbols (see password restrictions above)
Password expiry duration Default value: 90 daysValue is configurable using the Set-MsolPasswordPolicy cmdlet from the Windows Azure Active Directory Module for Windows PowerShell.
Password expiry notification Default value: 14 days (before password expires)Value is configurable using the Set-MsolPasswordPolicy cmdlet.
Password Expiry Default value: false days (indicates that password expiry is enabled)Value can be configured for individual user accounts using the Set-MsolUser cmdlet. See Set a password to never expire for instructions.
Password history Last password cannot be used again.
Password history duration Forever
Account Lockout After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period. Further incorrect passwords will result in an exponential increase in the lockout time period.



6 thoughts on “Office 365 Password Policy

    • As I understand it, the only limitations we need to adhere to when we have a password policy implemented are the minimum/maximum password length. However, if we need to bypass password complexity, and we have directory and password synchronization enabled, it is controlled through the on premise domain password group policy.

      However, we can decide to re-run the directory synchronization wizard and disable password synchronization. That will cause users to manage their own passwords–therefore passwords will differ from what is on premise.

      Did that answer your question?

  1. Pingback: Office 365 Password Policy | Cloud Evangelist

  2. Hello, Can we create password have part of the email address e.g, can we create password have John234$

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s