Office 365 (Azure Active Directory) is fairly strict with its password policy and complexity requirements. It will be important to be educated on this topic to understand how to works when on premise environment and Office 365 need to be integrated for directory and password synchronization.
Personally, I recommend that the on premise environment password policy and complexity settings match what is required for Azure AD. But this is not necessary (especially with a hybrid deployment).
It is important to note that when password synchronization is enabled via the directory synchronization tool … “the password complexity policies configured in the on-premises Active Directory override any complexity policies that may be defined in the cloud for synchronized users. This means any password that is valid in the customer’s on-premises Active Directory environment can be used for accessing Azure AD services.” (Implement Password Synchronization)
However, there might be other scenarios in which users just can’t handle or don’t understand complex (strong) passwords. In virtually every other scenario (non-hybrid), the password complexity policies apply. Nevertheless, should the need arise, the strong password requirement can be disabled.
Disable Strong Password Requirement
Connect to Office 365 via the Azure AD Module for PowerShell
Check the strong password setting for all users with this command…
Get-MsolUser | ft -auto UserPrincipalName,StrongPasswordRequired
By default, for each user displayed, the value for the StrongPasswordRequired parameter should be set to “True”. The only time it will not be will be with shared and resource mailboxes–since these types of mailboxes do not require their own credentials. In that case, the StrongPasswordRequired parameter should be set to “<blank>”.
To disable the setting for an individual user in O365, use this command…
Set-MsolUser -UserPrincipalName "USER_PRINCIPAL_NAME" -StrongPasswordRequired $false
The results of running this command will set the StrongPasswordRequired parameter should be set to “False”.
To disable the setting for all O365 users, use this command…
Get-MsolUser | Set-MsolUser -StrongPasswordRequired $false
NOTE: The StrongPasswordRequired parameter can be set on shared and resource mailboxes, however, if they are they cannot be set back to the original value of “<blank>”.
Related Articles in this Blog:
- Password policy in Azure AD
- Implement Password Synchronization
- AADSync hybrid password policy
- Disable Password Complexity for Office 365 Users