- Free Edition
- Quick Links
- MFA
- Self-Service Password Management
- Single Sign-On
- Password Synchronizer
- Password Policy Enforcer
- Employee Self-Service
- Reporting and auditing
- Integrations
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
Understanding the Entra ID (formerly Azure AD) password policy
Safeguarding sensitive data begins with securing user credentials. A well-defined Entra ID password policy plays a pivotal role in strengthening your organization's defenses against unauthorized access. By defining clear guidelines for the password expiration time and lockout threshold, an Entra ID password policy helps your organization maintain a strong security posture.
What is an Entra ID password policy?
An Entra ID password policy defines the rules users must follow when creating and managing their passwords within a Microsoft 365 environment. These rules include criteria such as the password complexity, length, expiration time, and lockout threshold. The default password policy ensures that organizations have a basic level of protection against unauthorized access.
Why is an Entra ID password policy important?
Most organizations inadvertently expose themselves to cybercriminals through weak passwords, allowing unauthorized access to sensitive data. This weakens the organizations' security defenses and can result in irreversible damage, often leading to steep costs in remediation and recovery efforts. By implementing a strong password policy in Entra ID, organizations can:
- Enhance security: Strong password policies prevent common password attacks like brute-force attacks, dictionary attacks, password spraying, and credential stuffing .
- Ensure compliance: Many regulatory frameworks, such as the GDPR, HIPAA, and the PCI DSS, require organizations to implement strong password policies.
- Promote a culture of security: Enforcing strong password policies helps organizations cultivate a culture of good security hygiene throughout the workforce.
Microsoft Entra Password Protection
Security best practices have always emphasized the importance of using unique, complex passwords and avoiding commonly used ones such as abcd and 1234. Despite these recommendations, many users still use weak or unsecure passwords, putting their accounts at risk of cyberthreats like credential stuffing. To address this issue, Microsoft Entra Password Protection helps mitigate this risk by identifying and blocking known weak passwords, including their variations.
By default, Entra Password Protection applies a global list of banned passwords to all users within a tenant, preventing weak passwords from being set. Additionally, administrators can create a customized banned password list tailored to their organization's unique security requirements. This feature ensures that whenever users change or reset passwords, they are automatically checked against these lists, reinforcing the usage of stronger, more secure credentials.
Key components of an Entra ID password policy
Note: The highlighted settings cannot be modified by a Microsoft 365 tenant administrator. However, when it comes to banned passwords, administrators can create a custom banned password list that works alongside the default list.
An Entra ID password policy includes the following key components:
| Setting | Description | Requirement |
|---|---|---|
| Banned passwords | The default configuration applies a global list of banned passwords to all users within a tenant. Additionally, a custom list of banned passwords can be created to satisfy specific security requirements. To perform this action, an account with at least the Authentication Policy Administrator role and a Microsoft Entra ID P1 license is required. | |
| Password length | This is the minimum number of characters required for a password to be valid. | A minimum of 8 characters and a maximum of 256 characters |
| Password complexity | This requires passwords to include a mix of character types, such as uppercase letters, lowercase letters, numerals, and symbols. | 3 out of the 4 character groups mentioned below must be included in the password:
|
| Allowed characters | This specifies which characters (letters, numerals, and symbols) are allowed in a password. |
|
| Prohibited characters | This specifies which characters are not allowed in a password. | Unicode characters |
| Password change history | The previous password cannot be reused when the user changes their password. | |
| Password reset history | The previous password can be reused when the user attempts to reset a forgotten password. | |
| Password expires | This indicates whether a password will be deemed invalid after a certain duration and requires the user to change it. | None (by default, the user password does not expire) |
| Password expiration time | This denotes the duration after which the password is considered to be expired (invalid). | 90 days (only when the password expiration option is enabled) |
| Password expiration time notification | This is the notification given to users in advance before their currently set password expires. | 14 days before the currently set password expires |
| Lockout threshold | This refers to the number of failed login attempts allowed before the user gets locked out of the account. | 10 (the user account gets locked after 10 unsuccessful login attempts) |
| Smart lockout | Smart lockout keeps track of the last 3 incorrect password hashes to prevent repeatedly counting the same bad password towards the lockout threshold. If a user enters the same incorrect password multiple times, they will not trigger a lockout. | By default, smart lockout will prevent logins after the following number of failed attempts:
|
| Lockout duration | This denotes the duration for which an account is locked after surpassing the lockout threshold before the user can log in again. | 60 seconds |
Best practices for managing password policies
- Implement strong password requirements: Enforce a password expiration time and an account lockout threshold and duration to enhance password security.
- Regularly review and update policies: Ensure your policies stay up to date with the latest security standards and your organizational needs.
- Leverage MFA: Combine passwords with additional verification methods for increased security.
- Monitor and audit: Regularly audit account activities and password changes to detect and respond to potential security threats.
Strengthen Entra ID password policies with ADSelfService Plus
ADSelfService Plus is an identity security solution that provides self-service password management features to help organizations strengthen their password hygiene. The Password Policy Enforcer allows you to set stringent password rules, preventing risks from weak or compromised passwords.
ADSelfService Plus also tracks users' password history, manages account lockouts, sends password expiration notifications, and offers audit and reporting capabilities. In addition to these features, ADSelfService Plus provides adaptive MFA with support for a wide range of authenticators. It offers MFA for endpoints, cloud and on-premises applications, VPNs, and Outlook on the web.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
FAQs
The Entra ID password rule refers to a set of requirements a user must follow when creating or changing passwords in Entra ID. These requirements include the minimum length, complexity, expiration time, and lockout settings.
The default length is a minimum of eight characters, but the length can go up to 256 characters. The best practice is to use at least 12 characters.
In Entra ID, a user's password never expires by default. However, you can modify this default setting within the Microsoft 365 admin center by following the steps mentioned below:
- Log in to the Microsoft 365 admin center with an account that has security admin privileges.
- Navigate to Settings > Security & privacy > Password expiration policy.
- Disable the Set passwords to never expire (recommended) option.
- In the field named Days before passwords expire, enter 90, then click Save. This sets the password expiration window to 90 days. In addition to this, you will also be notified 14 days before the password expiration date.
Changing passwords every 90 days helps mitigate the risk of compromised credentials by limiting the time an attacker can use stolen passwords. However, it is recommended that you change passwords based on risk events rather than a fixed schedule.
