Why can't we modify password complexity options in Entra Admin

Question

After moving from an on-prem AD server to Entra Admin we noticed that we can't enforce password complexity policies to our users. The built in requirements cannot be modified. Why was this taken away?

Answer 1

Hi @Alan Auld

Thank you for reaching us!

I understand that you would like to know about the password policies of Entra ID.
Microsoft Entra ID has the default password complexity requirements are fixed and cannot be customized.
The reason for these fixed requirements is to maintain a balance between security and usability across all users and environments.
The password policy that applies depends on the type of user account you have.

For cloud-only users, SSPR stores the new password in Microsoft Entra ID. In this case, the predefined password policy for Microsoft Entra ID will apply.

For hybrid users, SSPR writes back the password to the on-premises Active Directory via the Azure AD Connect service. If you have a custom password policy in your on-premises Active Directory, that policy will apply to the password that is written back from Microsoft Entra ID.

If a password change meets on-premises requirements but fails to meet cloud requirements, the password change succeeds if password hash synchronization is enabled. For example, if the new password includes a Unicode character, the password change can be updated on-premises but not in the cloud.

Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#risk-based-password-reset-policy-limitations
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy
Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.