Allow alteration to the global Azure AD Password Policy (complexity, length, etc)
Force special characters in Azure AD password Policy
I would like the ability to force more complex passwords without the need for a Dirsynced server. The default password policy for the global profile in Azure AD is not strong enough, and I would like some better options for length, complexity and special character requirements.
Bart Jansen commented
So happy to find this, been looking for the possibility to enforce password strength all over just to find it is not possible without AD... unbelievable.
We had to set up an AD in the Azure Cloud to sync password policy with O365 to get the complexity we needed. If O365 is to become a viable platform, MS should seriously consider providing added functionality to go beyond the standard complex password rules. In these days of enhanced cyber security awareness, more and more clients are asking for security over and above.
Oscar Stankard commented
A little shocked to see this is only possible with directory sync, Microsoft are promoting cloud only more and more and this basic limitation on functionality is very strange. Please can we see basic password complexity possible within AzureAD, the same as it is in on-prem AD, if AzureAD and cloud only is supposed to be the new way Microsoft are promoting and moving users towards?
Requiring secure passwords should be a basic part of an online and internet-facing authentication system, most people don't have directory sync enabled and this is a strange restriction.
If we're being more and more railroaded towards an SSO world where a single credential gives complete access, to the whole internet, to all manners of data and privilege, it's a bit of an omission to allow reuse of passwords, parts of username, use of common passwords, passwords of only 7 characters.
If someone wants to secure their Hotmail with such a password that's fine but to have no way (short of AD premium, B2C or dir sync to an on-prem AD most don't have) to set a better standard of password (and after such a length of time/volume of requests) is as negligent as it is irrational.
Thanks for your timely reconsideration of this misguided policy.
Harit Shah commented
We need to have organization to control the minimum password length, for i.e 12 or 16 character minimum.
We need 12 character minimum plus complexity for contractual reasons. Please add in the ability to change password requirements in AAD.
MFA is fine but not all users have a corporate phone and aren’t willing to use their personal phone. Please add in password complexity
Venkat Pai commented
We would like to implement the following in the password complexity at our organisation for office 365 users
Note: Strong Password must
At least one UpperCase letter.
At least one LowerCase letter.
At least one Number.
At least one Special Character # @ % ! ^ * = - + ; . :
At least 8 characters long.
Three or more Consecutive Alphabets or Numbers can not be used in a Password. e.g. 123, abc
Firstname/LastName/Domain Name/Common Password can not be used in a Password.
Andre Fonseca commented
This is VERY IMPORTANT!
Wake up Microsoft!
Greg Virgin commented
+1. This is a fundamental requirement. Temporary passwords should also adhere to the standard.
hello Microsoft, we want to implement the password policy at organisation level for office 365 users, where the organisation owner will defines the password complexity.
some of our clients have their own requirements for password complexity, its strange that we are not able to mirror this with the auto-generate feature, and resort to manually generating the passwords and updating the users password manually.
I have no idea why this isn't a thing. It's ridiculous that you can't set complexity requirements. At the least make what Microsoft sets as the minimum and if you want to make it more complex you can.
Both Microsoft Password Guidance from 2016 (https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf) and NIST 2019 (https://pages.nist.gov/800-63-3/sp800-63b.html)
recommend eliminating password complexity or character-composition requirements as well as mandatory periodic password changes. In doing so is important to also implement banned password checking and normalization.
So why does Azure's Self Service Password Reset and or Advanced Password Protection (w/Global Banned Password List checking), force rigid password policies that includes password complexity and forced expiration? Confusing.
Currently we have AD on-prem synched to Azure using Azure Connect, but cannot move forward with further cloud password integration because of the static Azure complex password policies. Furthermore, we have large numbers of on-prem users with FGPP that will be affected by the settings in Azure.
Microsoft, please sort this. Your users need the ability to modify all Azure password policies on their tenant, and to select via group who to apply the Azure Advanced Password Protection to - exempting user groups on-prem where so chosen.
Vic H commented
This is Ludacris. MS please make this a priority!!
100% agree with below:
Absurd that MS can't be bothered with such a fundamental requirement to easily enforce long/complex passwords
Bron Hafner commented
I second this request! We have an on-premise Active Directory setup that synchronizes to Office 365 via the Windows Server Essential role we've installed on our domain controller. For years, I've wanted to have an internal password policy that requires longer passwords that don't need to be complex. While I can force our passwords to be longer, I have never been able to disable the complexity requirement or else we have problems when synchronizing with O365/Azure AD.
Now days, even Microsoft is saying complexity requirements may do more harm than good, so I looked into this again with Microsoft support. But Azure AD still has complexity requirements that can't be changed. I certainly hope that Microsoft makes a change to this to allow Azure length/complexity requirements to be changed for an organization. Otherwise, if one is synchronizing with an internal AD, we are kind of limited to what we can do with our internal AD policy.
Nigel Miller commented
Absurd that MS can't be bothered with such a fundamental requirement to easily enforce long/complex passwords.
Jeff Duthie commented
I totally agree that this is an area Microsoft are lacking in. Our 1000+ seat organisation have had to bolt-on a 3rd party product (nFront) to enforce a stronger password for AD. The Microsoft definition of complex password stands at minimum 8 characters and 3 of either uppercase, lowercase, digits or special characters - meaning Password1 qualifies as complex. nFront has allowed policy rules including prohibiting keyboard sequences, repeated characters, prohibited dictionary words and each reset password on expiry must differ from last password by at least 3 characters. I'd love for Microsoft to provide similar for AD.