Office 365 Password Policy

Updated on 1 July 2015

The password policy in Office 365 (O365) is a little more strict than that of an on premise environment as certain characters that are available in Active Directory may not be recognized in O365 (e.g. CTRL characters). To see what is allowable in O365, as well as other password settings, refer to the chart below.

One of the things that I appreciate, is that we are not tied to a strict password expiration rule. That means we can set the password to never expire, however, that task cannot be performed from the portal. Check the references at the end of the article on how to perform that task.

By default, the password expiration is 90 days. However, we can set our password expiration to a maximum of 730 days. This practice is not recommended, as it is a potential security risk to you and your company’s data.

If you are using directory synchronization with password sync, I recommend your Active Directory group policy for passwords should be set to something similar to what is required for O365. At a minimum, the values for ‘Minimum password length’ and ‘Maximum password age’ and ‘Password must meet complexity requirements’ should be configured. I recommend setting the minimum password length to “8 characters” (instead of 7, default in Default Domain Policy), complexity requirement to “Enabled”, and the maximum password age to at least one day less than what we set the password expiration in O365.

Property	Standard strength passwords	Strong passwords
Characters allowed	A – Z a – z 0 – 9 @ # $ % ^ & * – _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ;
Characters disallowed	Unicode characters spaces	Unicode characters spaces Cannot contain a dot character ‘.’ immediately preceding the ‘@’ symbol
Password restrictions	8 characters minimum and 16 characters maximum	8 characters minimum and 16 characters maximum Requires 3 out of 4 of the following: Lowercase characters Uppercase characters Numbers (0-9) Symbols (see password restrictions above)
Password expiry duration	Default value: 90 daysValue is configurable using the Set-MsolPasswordPolicy cmdlet from the Windows Azure Active Directory Module for Windows PowerShell.
Password expiry notification	Default value: 14 days (before password expires)Value is configurable using the Set-MsolPasswordPolicy cmdlet.
Password Expiry	Default value: false days (indicates that password expiry is enabled)Value can be configured for individual user accounts using the Set-MsolUser cmdlet. See Set a password to never expire for instructions.
Password history	Last password cannot be used again.
Password history duration	Forever
Account Lockout	After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period. Further incorrect passwords will result in an exponential increase in the lockout time period.

Reference(s):

• Password policy in Azure AD
• How to disable password policy settings in BPOS and Office 365 with PowerShell (No longer a valid link)
• Disable password policy settings in BPOS and Office 365 with PowerShell-PasswordNeverExpires
• Disable Password Complexity for Office 365 Users
• Manage Office 365 user’s Passwords using PowerShell
• Turn Off Password Expiry In Office 365 for education
• Set a user’s password expiration policy
• Configure user passwords to never expire