Table of Contents


Microsoft enforces a strong default two gate password reset policy for any Azure administrator role (Example: Global Administrator, Helpdesk Administrator, Password Administrator, etc.)

This disables administrators from using security questions and enforces the following.

Two gate policy, requiring two pieces of authentication data (email address and phone number), applies in the following circumstances

  • All Azure administrator roles
    • Helpdesk Administrator
    • Service Support Administrator
    • Billing Administrator
    • Partner Tier1 Support
    • Partner Tier2 Support
    • Exchange Service Administrator
    • Lync Service Administrator
    • User Account Administrator
    • Directory Writers
    • Global Administrator/Company Administrator
    • SharePoint Service Administrator
    • Compliance Administrator
    • Application Administrator
    • Security Administrator
    • Privileged Role Administrator
    • Intune Service Administrator
    • Application Proxy Service Administrator
    • CRM Service Administrator
    • Power BI Service Administrator
  • 30 days have elapsed in a trial OR
  • Vanity domain is present (contoso.com) OR
  • Azure AD Connect is synchronizing identities from your on-premises directory

Exceptions


One gate policy, requiring one piece of authentication data (email address or phone number), applies in the following circumstances

  • First 30 days of a trial OR
  • Vanity domain is not present (.onmicrosoft.com) **AND* Azure AD Connect is not synchronizing identities

UserPrincipalName policies that apply to all user accounts

Every user account that needs to sign in to Azure AD must have a unique user principal name (UPN) attribute value associated with their account. The table below outlines the policies that apply to both on-premises Active Directory user accounts synchronized to the cloud and to cloud-only user accounts.

Property

UserPrincipalName requirements

Characters allowed
    • A – Z
    • a - z
    • 0 – 9
    • . - _ ! # ^ ~

Characters not allowed
    • Any '@' character that is not separating the user name from the domain.</li> <li>Cannot contain a period character '.' immediately preceding the '@' symbol

Length constraints
    • Total length must not exceed 113 characters
    • 64 characters before the ‘@’ symbol
    • 48 characters after the ‘@’ symbol

Password policies that apply only to cloud user accounts

The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

Property

Requirements

Characters allowed
    • A – Z
    • a - z
    • 0 – 9
    • @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;

Characters not allowed
    • Unicode characters
    • Spaces
    • Strong passwords only: Cannot contain a dot character '.' immediately preceding the '@' symbol

Password restrictions
    • 8 characters minimum and 16 characters maximum
    • Strong passwords only: Requires 3 out of 4 of the following:
      • Lowercase characters
      • Uppercase characters
      • Numbers (0-9)
      • Symbols (see password restrictions above)

Password expiry duration
    • Default value: 90 days
    • Value is configurable using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.

Password expiry notification
    • Default value: 14 days (before the password expires)
    • Value is configurable using the Set-MsolPasswordPolicy cmdlet.

Password Expiry
    • Default value: false days (indicates that password expiry is enabled)
    • Value can be configured for individual user accounts using the Set-MsolUser cmdlet.

Password change history

Last password cannot be used again when changing a password.

Password reset history

Last password may be used again when resetting a forgotten password.

Account Lockout

After 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations.

Set password expiration policies in Azure Active Directory

A global administrator for a Microsoft cloud service can use the Microsoft Azure Active Directory Module for Windows PowerShell to set up user passwords not to expire. You can also use Windows PowerShell cmdlets to remove the never-expires configuration or to see which user passwords are set up not to expire. This guidance applies to other providers such as Microsoft Intune and Office 365, which also rely on Microsoft Azure Active Directory for identity and directory services.

Note

Only passwords for user accounts that are not synchronized through directory synchronization can be configured to not expire. For more information about the directory synchronization seeConnect AD with Azure AD.

Set or check password policies using PowerShell


To get started, you need to download and install the Azure AD PowerShell module. Once you have it installed, you can follow the steps below to configure each field.

How to check expiration policy for a password

  1. Connect to Windows PowerShell using your company administrator credentials.
  2. Execute one of the following commands:
    • To see whether a single user’s password is set to never expire, run the following cmdlet by using the user principal name (UPN) (for example, aprilr@contoso.onmicrosoft.com) or the user ID of the user you want to check: Get-MSOLUser -UserPrincipalName <user ID> | Select PasswordNeverExpires
    • To see the "Password never expires" setting for all users, run the following cmdlet: Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires

Set a password to expire

  1. Connect to Windows PowerShell using your company administrator credentials.
  2. Execute one of the following commands:
    • To set the password of one user so that the password expires, run the following cmdlet by using the user principal name (UPN) or the user ID of the user: Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $false
    • To set the passwords of all users in the organization so that they expire, use the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $false

Set a password to never expire

  1. Connect to Windows PowerShell using your company administrator credentials.
  2. Execute one of the following commands:
    • To set the password of one user to never expire, run the following cmdlet by using the user principal name (UPN) or the user ID of the user: Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true
    • To set the passwords of all the users in an organization to never expire, run the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true