Your Guide to Setting Up Your Password Policy in Office 365

If you're an admin of your organization's Office 365 or network, setting the password policy is your responsibility. 

A password policy helps protect your organization from different levels of cyber threats. 

When setting the password policy, you must do it correctly because any loophole can expose your business to vulnerabilities. 

But, setting the Office 365 password policy can be complicated and sometimes confusing.

In this article, we outline what a password policy is and offer a step-by-step guide to setting up your password policy in Office 365.

What Is A Password Policy?

In general, a password policy is a set of rules that users must meet to enhance computer or network security. 

The policy establishes characteristics of strong passwords, such as password length and the types of characters allowed or disallowed.

A typical password policy encourages users, IT personnel, and network admins to create, implement, and use stronger passwords for the safety of your computer, network, and website.

As part of an organization's rules, password policies are often included in the organization's security awareness training. 

Most password policies also come with applications and services, such as in the various Microsoft 365 plans.

What Is The Default Password Policy For Office 365?

Microsoft cloud-only accounts, which include Office 365 and Azure Active Directory, have a predefined password policy that admins cannot change. 

The policy sets three critical password guidelines for admins:

1. Password length. Office 365 passwords must contain an 8-character minimum length and a 16-character maximum length. A username cannot be part of the password.
2. Password complexity. Office 365 must have strong passwords that include a mix of only allowed characters such as lowercase and uppercase letters (a-z, A-Z), base numbers (0-9), and allowed symbols (such as ! @,#,_,- #, $, %, ^, &, *, etc. The Office 365 password policy disallows characters such as spaces and Unicode characters, i.e.!, ¥, Ą, Ə, ɖ, o̕, Љ, Ԁ, Ա, ؟, ܀, ހ, ߄. 
3. Password expiry duration. By default, an organization's Office 365 passwords are set never to expire. However, admins have the option to set whether a password expires and the number of days until a password expires—the default was 60 days, but that can be changed. Microsoft will prompt you to reset your password at the required time. 

Examples of valid, strong Microsoft 365 passwords are:

• May<1@>2@22$
• summeR%2@2! 

Additional rules of a strong password include:

• Prevent the use of personal details. Prevent users from integrating personal details like usernames, driver's licenses/ID/passport numbers, birth dates, and more in their passwords because they're more prone to unauthorized access.
• Prevent reuse of the last password. Your organization may establish a password reuse policy. 
• Password expiry notification. The default value of password expiry notification is 14 days before password expiration.
• Ban common or reused passwords to keep the vulnerable passwords away from your system.
• Account lockout. Microsoft Entra offers a default lockout threshold of 10 failed attempts in Azure Public and Microsoft Azure, or 3 failed attempts for Azure US Government tenants.
• Enable multi-factor authentication. Combined with a strong password, multiple authentication methods make it increasingly more difficult for hackers to crack into users' 365 accounts.

Did Microsoft Change Their Password Policy?

Yes.

Previously, Microsoft required periodic password changes.

However, they've opted to do away with forced changes since people often used weak, reusable passwords. 

Please note that Azure AD still defaults to expiring passwords every 90 days. 

Admins can change this behavior. 

How Do I Change My Password Complexity In Office 365?

Microsoft 365 comes with a predefined password complexity, though an organization may choose to change password complexity requirements to suit their specific needs. 

This means your password should contain at least 3 of these allowed password characters:

• Uppercase characters (A-Z)
• Lowercase characters (a-z)
• Numbers (0-9)
• Allowed symbols like: ! @ # + = [ ] { } | \$ % ^ & * – _  : ‘ , . ? / ` ~ “ < > ( ) ;
• Maintain a password length with an 8-character minimum and a 16-character maximum 

This complexity cannot be changed. 

You can advise your users only to include three of all the required characters and maintain the password within the required length (8 to 16 characters).

Note that cybersecurity research strongly shows that organizations' and individually mandated password changes often do more harm than good. 

When changing passwords, people tend to choose weaker passwords they can remember easily or reuse old passwords.

Users also tend to update their passwords in easily guessed ways. 

This helps expose the passwords to bad actors.

Also, it's important not to require character composition of symbols such as *&(^%$, etc., in password complexity for two reasons. 

First, they're difficult to remember. 

Second, people tend to substitute them with known factors such as @ for a, $ for s, and 1 for I. 

How Do I Find My Password Policy in Office 365?

Your Office 365 password policy is in the Office 365 admin center. 

Log in to the Office 365 admin center with the right credentials and locate the password policy.

To find the password policy in the Microsoft 365 admin center, follow these steps:

1. Log in to Office 365 admin center (admin.microsoft.com) using your admin username and password.
2. On the left pane, go to Settings  > Org Settings. You'll only see this option if you’re the organization's Office 365 global admin.
3. Expand the Settings menu > then go to Security & Privacy.
4. You'll see the Password Policy in the new window, along with privacy policy, sharing, and others.

6 Steps To Setting Up Your Microsoft 365 Password Policy Management

After finding your password policy in Microsoft 365 admin center, you can now set it to your preference. 

Note that you must be an admin in the system to set up your organization's password policy. 

Admins can follow the steps below to set your password policy in the Microsoft Admin center. 

1. In the Microsoft 365 admin center, navigate to Settings > Org Settings > Security & privacy tab. This option is only visible to global admin or security admin. 
2. In the list of elements, select Password expiration policy > Set user passwords policy for …
3. To delete your organization's password expiration, uncheck the box "Set user passwords to expire after a number of days." This will set passwords never to expire. 
4. To set password expiration policy (how often passwords will expire), leave the "Set user passwords to expire after a number of days" checked. Then:
   1. Choose the number of days passwords will expire. Change the default 90 days and choose any number of days between 14 and 730 days.
   2. Select when users are notified before the password expiration day. Delete the 14 days and choose any number of days between 1 and 30. For example, if you choose 30, the users will be notified 30 days before their password expires.
5. To set the passwords never to expire so users don't have to change passwords, toggle the box that says Set passwords to never expire to disable it.
6. Once you're done, click Save. 

Conclusion

You can manage your organization's password policy in the Office 365 Admin center/portal only if you are an admin. 

You can set whether or not user passwords expire, set password complexity, the duration before passwords expire, and notifications about password expiration. 

This ensures that your organization stays secure from cyber attacks. 

It's advised to always conduct a thorough password audit alongside educating your team about the essence of using strong passwords and the benefits of password management. 

Passwords are just one of many factors that help keep data secure. 

Use this Data Security Checklist to your audit your organization’s data security practices.