This post discusses a critical issue that is of daily concern for every organization that wants to ensure the security of users and applications. It all comes down to security and specifically Azure AD security features.

The default password policy

All cloud-based user accounts are set up with a default password policy that cannot be modified beyond the editable options I will show you in this guide. The default settings for the built-in Azure AD password policy can be found below.

Property Requirements
Characters allowed A – Z
a – z
0 – 9
@ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < >
Blank space
Unicode characters Unicode characters
Password restrictions A minimum of 8 characters and a maximum of 256 characters.
Requires three out of four of the following types of characters:
– Lowercase characters
– Uppercase characters
– Numbers (0-9)
– Symbols (see the previous password restrictions)
Password expiry duration (Maximum password age) The default value is 90 days. There is no default expiration value if the tenant was formed after 2021.
Password expiry (Let passwords never expire) The default value is false, which implies that passwords have an expiration date.
Password change history When a user changes a password, the previous password cannot be used again.

Source

Password protection settings

The Azure AD password protection feature allows you to manage your user’s password settings and lockout conditions. You can access the Password protection settings by following the path below:

Security > Security | Authentication methods > Authentication methods > Manage > Password protection

Setting Description Default value
Lockout threshold After 10 unsuccessful attempts to sign in with the wrong password, a user’s account will be locked out. 10
Lockout duration in seconds The period of time the user is locked out for after 10 failed sign-in attempts. 60
Custom banned password
Custom banned password list You can add a list of words (one per line) to prevent users from using their passwords. The limit of custom-banned words for the list is up to 1000.

 

Azure AD Authentication strength

The authentication strength, is a combination of authentication techniques (conditional access control) that could be applied and used to control access to a resource.

By default there three built-in authentication strengths :

  • Multifactor authentication : Combinations that satisfy Require multifactor authentication can also be used.
  • Passwordless MFA : Includes methods that satisfy MFA without requiring a password.
  • Phishing-resistant MFA : It includes authentication methods requiring interaction with sign-in surfaces.

Conditional Access authentication strength

Self-service password reset

Self-service password reset allows users to reset their passwords without contacting organization IT support by accessing their account page from this link.

 

Share This