If you're an admin of your organization's Office 365 or network, setting the password policy is your responsibility.
A password policy helps protect your organization from different levels of cyber threats.
When setting the password policy, you must do it correctly because any loophole can expose your business to vulnerabilities.
But, setting the Office 365 password policy can be complicated and sometimes confusing.
In this article, we outline what a password policy is and offer a step-by-step guide to setting up your password policy in Office 365.
In general, a password policy is a set of rules that users must meet to enhance computer or network security.
The policy establishes characteristics of strong passwords, such as password length and the types of characters allowed or disallowed.
A typical password policy encourages users, IT personnel, and network admins to create, implement, and use stronger passwords for the safety of your computer, network, and website.
As part of an organization's rules, password policies are often included in the organization's security awareness training.
Most password policies also come with applications and services, such as in the various Microsoft 365 plans.
Microsoft cloud-only accounts, which include Office 365 and Azure AD, have a predefined password policy that admins cannot change.
The policy sets three critical password guidelines for admins:
Examples of valid, strong Microsoft 365 passwords are:
Additional rules of a strong password include:
Microsoft 365 comes with a predefined password complexity.
This means your password should contain at least 3 of these allowed password characters:
This complexity cannot be changed.
You can advise your users only to include three of all the required characters and maintain the password within the required length (8 to 16 characters).
Note that cybersecurity research strongly shows that organizations' and individual mandated password changes often do more harm than good.
When changing passwords, people tend to choose weaker passwords they can remember easily, reuse old passwords, or update passwords in easily guessed ways.
This helps expose the passwords to bad actors.
Also, it's important not to require character composition of symbols such as *&(^%$, etc., in password complexity for two reasons.
First, they're difficult to remember.
Second, people tend to substitute them with known factors such as @ for a, $ for s, 1 for I, etc.
Your Office 365 password policy is in the Office 365 admin center.
Log in to the Office 365 admin center with the right credentials and locate the password policy.
To find the password policy in the Microsoft 365 admin center, follow these steps:
After finding your password policy in Microsoft 365 admin center, you can now set it to your preference.
Note that you must be an admin in the system to set up your organization's password policy.
Admins can follow the steps below to set your password policy in the Microsoft Admin center.
You can manage your organization's password policy in the Office 365 Admin center/portal only if you are an admin.
You can set whether or not user passwords expire, set password complexity, the duration before passwords expire, and notifications about password expiration.
This ensures that your organization stays secure from cyber attacks.
It's advised to always conduct a thorough password audit alongside educating your team about the essence of using strong passwords and the benefits of password management.
Passwords are just one of many factors that help keep data secure.
Use this Data Security Checklist to your audit your organization’s data security practices.