This post discusses a critical issue that is of daily concern for every organization that wants to ensure the security of users and applications. It all comes down to security and specifically Azure AD security features.
The default password policy
All cloud-based user accounts are set up with a default password policy that cannot be modified beyond the editable options I will show you in this guide. The default settings for the built-in Azure AD password policy can be found below.
Property | Requirements |
Characters allowed | A – Z a – z 0 – 9 @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < > Blank space |
Unicode characters | Unicode characters |
Password restrictions | A minimum of 8 characters and a maximum of 256 characters. Requires three out of four of the following types of characters: – Lowercase characters – Uppercase characters – Numbers (0-9) – Symbols (see the previous password restrictions) |
Password expiry duration (Maximum password age) | The default value is 90 days. There is no default expiration value if the tenant was formed after 2021. |
Password expiry (Let passwords never expire) | The default value is false, which implies that passwords have an expiration date. |
Password change history | When a user changes a password, the previous password cannot be used again. |
Password protection settings
The Azure AD password protection feature allows you to manage your user’s password settings and lockout conditions. You can access the Password protection settings by following the path below:
Security > Security | Authentication methods > Authentication methods > Manage > Password protection
Setting | Description | Default value |
Lockout threshold | After 10 unsuccessful attempts to sign in with the wrong password, a user’s account will be locked out. | 10 |
Lockout duration in seconds | The period of time the user is locked out for after 10 failed sign-in attempts. | 60 |
Custom banned password | ||
Custom banned password list | You can add a list of words (one per line) to prevent users from using their passwords. The limit of custom-banned words for the list is up to 1000. |
Azure AD Authentication strength
The authentication strength, is a combination of authentication techniques (conditional access control) that could be applied and used to control access to a resource.
By default there three built-in authentication strengths :
- Multifactor authentication : Combinations that satisfy Require multifactor authentication can also be used.
- Passwordless MFA : Includes methods that satisfy MFA without requiring a password.
- Phishing-resistant MFA : It includes authentication methods requiring interaction with sign-in surfaces.
Conditional Access authentication strength
Self-service password reset
Self-service password reset allows users to reset their passwords without contacting organization IT support by accessing their account page from this link.