- Free Edition
- Quick Links
- Multi-factor authentication
- Adaptive MFA
- Active Directory MFA
- Conditional access
- Passwordless authentication
- Endpoint MFA
- MFA for remote and local Windows logons
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for VPN logons
- MFA for OWA logons
- Offline MFA
- MFA for UAC
- Device-based MFA
- MFA for cloud apps
- MFA for Microsoft 365 users
- Phishing-resistant MFA
- Password management
- Password management and security
- Self-service password reset
- Self-service account unlock
- Web-based domain password change
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
Understanding the Entra ID (formerly Azure AD) password policy
Safeguarding sensitive data begins with securing user credentials. A well-defined Entra ID password policy plays a pivotal role in strengthening your organization's defenses against unauthorized access. By defining clear guidelines for the password expiration time and lockout threshold, an Entra ID password policy helps your organization maintain a strong security posture.
What is an Entra ID password policy?
An Entra ID password policy defines the rules users must follow when creating and managing their passwords within a Microsoft 365 environment. These rules include criteria such as the password complexity, length, expiration time, and lockout threshold. The default password policy ensures that organizations have a basic level of protection against unauthorized access.
Why is an Entra ID password policy important?
Most organizations inadvertently expose themselves to cybercriminals through weak passwords, allowing unauthorized access to sensitive data. This weakens the organizations' security defenses and can result in irreversible damage, often leading to steep costs in remediation and recovery efforts. By implementing a strong password policy in Entra ID, organizations can:
- Enhance security: Strong password policies prevent common password attacks like brute-force attacks, dictionary attacks, password spraying, and credential stuffing .
- Ensure compliance: Many regulatory frameworks, such as the GDPR, HIPAA, and the PCI DSS, require organizations to implement strong password policies.
- Promote a culture of security: Enforcing strong password policies helps organizations cultivate a culture of good security hygiene throughout the workforce.
Microsoft Entra Password Protection
Security best practices have always emphasized the importance of using unique, complex passwords and avoiding commonly used ones such as abcd and 1234. Despite these recommendations, many users still use weak or unsecure passwords, putting their accounts at risk of cyberthreats like credential stuffing. To address this issue, Microsoft Entra Password Protection helps mitigate this risk by identifying and blocking known weak passwords, including their variations.
By default, Entra Password Protection applies a global list of banned passwords to all users within a tenant, preventing weak passwords from being set. Additionally, administrators can create a customized banned password list tailored to their organization's unique security requirements. This feature ensures that whenever users change or reset passwords, they are automatically checked against these lists, reinforcing the usage of stronger, more secure credentials.
Key components of an Entra ID password policy
Note: The highlighted settings cannot be modified by a Microsoft 365 tenant administrator. However, when it comes to banned passwords, administrators can create a custom banned password list that works alongside the default list.
An Entra ID password policy includes the following key components:
| Setting | Description | Requirement |
|---|---|---|
| Banned passwords | The default configuration applies a global list of banned passwords to all users within a tenant. Additionally, a custom list of banned passwords can be created to satisfy specific security requirements. To perform this action, an account with at least the Authentication Policy Administrator role and a Microsoft Entra ID P1 license is required. | |
| Password length | This is the minimum number of characters required for a password to be valid. | A minimum of 8 characters and a maximum of 256 characters |
| Password complexity | This requires passwords to include a mix of character types, such as uppercase letters, lowercase letters, numerals, and symbols. | 3 out of the 4 character groups mentioned below must be included in the password:
|
| Allowed characters | This specifies which characters (letters, numerals, and symbols) are allowed in a password. |
|
| Prohibited characters | This specifies which characters are not allowed in a password. | Unicode characters |
| Password change history | The previous password cannot be reused when the user changes their password. | |
| Password reset history | The previous password can be reused when the user attempts to reset a forgotten password. | |
| Password expires | This indicates whether a password will be deemed invalid after a certain duration and requires the user to change it. | None (by default, the user password does not expire) |
| Password expiration time | This denotes the duration after which the password is considered to be expired (invalid). | 90 days (only when the password expiration option is enabled) |
| Password expiration time notification | This is the notification given to users in advance before their currently set password expires. | 14 days before the currently set password expires |
| Lockout threshold | This refers to the number of failed login attempts allowed before the user gets locked out of the account. | 10 (the user account gets locked after 10 unsuccessful login attempts) |
| Smart lockout | Smart lockout keeps track of the last 3 incorrect password hashes to prevent repeatedly counting the same bad password towards the lockout threshold. If a user enters the same incorrect password multiple times, they will not trigger a lockout. | By default, smart lockout will prevent logins after the following number of failed attempts:
|
| Lockout duration | This denotes the duration for which an account is locked after surpassing the lockout threshold before the user can log in again. | 60 seconds |
Best practices for managing password policies
- Implement strong password requirements: Enforce a password expiration time and an account lockout threshold and duration to enhance password security.
- Regularly review and update policies: Ensure your policies stay up to date with the latest security standards and your organizational needs.
- Leverage MFA: Combine passwords with additional verification methods for increased security.
- Monitor and audit: Regularly audit account activities and password changes to detect and respond to potential security threats.
Strengthen Entra ID password policies with ADSelfService Plus
ADSelfService Plus is an identity security solution that provides self-service password management features to help organizations strengthen their password hygiene. The Password Policy Enforcer allows you to set stringent password rules, preventing risks from weak or compromised passwords.
ADSelfService Plus also tracks users' password history, manages account lockouts, sends password expiration notifications, and offers audit and reporting capabilities. In addition to these features, ADSelfService Plus provides adaptive MFA with support for a wide range of authenticators. It offers MFA for endpoints, cloud and on-premises applications, VPNs, and Outlook on the web.
FAQs
The Entra ID password rule refers to a set of requirements a user must follow when creating or changing passwords in Entra ID. These requirements include the minimum length, complexity, expiration time, and lockout settings.
The default length is a minimum of eight characters, but the length can go up to 256 characters. The best practice is to use at least 12 characters.
In Entra ID, a user's password never expires by default. However, you can modify this default setting within the Microsoft 365 admin center by following the steps mentioned below:
- Log in to the Microsoft 365 admin center with an account that has security admin privileges.
- Navigate to Settings > Security & privacy > Password expiration policy.
- Disable the Set passwords to never expire (recommended) option.
- In the field named Days before passwords expire, enter 90, then click Save. This sets the password expiration window to 90 days. In addition to this, you will also be notified 14 days before the password expiration date.
Changing passwords every 90 days helps mitigate the risk of compromised credentials by limiting the time an attacker can use stolen passwords. However, it is recommended that you change passwords based on risk events rather than a fixed schedule.
