Account/Authentication - Azure Active Directory - Ensure that Office 365 Passwords Are Not Set to Expire

 





Summary

Generally, Microsoft cloud-only accounts consists of pre-defined password policy that cannot be changed. You can only change the number of days until a password expires and whether or not passwords expire at all.

Reason

Some of the organizations like NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords are a specific amount of time, unless there is evidence that the password is compromised or the user forget it. 

What If?

If the passwords are set not to expire, then, the other controls should be in place to supplement this setting. The following steps are recommended to be taken:

  1. Ban common passwords
  2. Educate users to not reuse organization passwords anywhere else
  3. Enforce MFA registration for all users
  4. Enforce MFA registration

How to?

To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center:
  1. Expand settings then select the Org Settings subcategory.
  2. Click on Security & privacy.
  3. Select Password expiration policy.
  4. If the Set passwords to never expire (recommended) box is unchecked, check it.
  5. Click Save.

To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Online PowerShell Module:

  1. Connect Microsoft Online service using Connect-MSOLService.
  2. Run the following Microsoft Online PowerShell command:

Set -MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName <DomainName> - NotficationDays 30

Monitor:

To verify Office 365 Passwords Are Not Set to Expire, use the Microsoft 365 Admin Center:
  1. Expand settings then select the Org Settings subcategory.
  2. Click on Security & privacy.
  3. Select Password expiration policy and ensure that Set passwords to never expire (recommended) has been checked.

To verify Office 365 Passwords Are Not Set to Expire, use the Microsoft Online PowerShell Module:

  1. Connect to Microsoft Online service using Connect-MSOLService.
  2. Run the following Microsoft Online PowerShell command:

Get -MsolPasswordPolicy  -DomainName <DomainName> | ft ValidityPeriod














Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)