Password Policy Recomendations conflict with Azure AD settings

Palle Helenius 1 Reputation point
2021-01-13T22:04:06.317+00:00

Aricle outlines recomendations for password policies that closely follow the modern NIST recomendations.
https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide

This article describes the Password Policy configuation and settings available in Azure AD.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

But these Azure AD settings conflict with the recomendations and are not confiurable.

For example one recomendation is "Don't require character composition requirements" however Azure AD Requires three out of four of the following:
Lowercase characters.
Uppercase characters.
Numbers (0-9).
Symbols (see the previous password restrictions).

Could someone explain why the recomendations are different than the implementation?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,827 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 22,266 Reputation points Microsoft Employee
    2021-01-14T22:45:11.557+00:00

    Hi @Palle Helenius , AzureAD is requiring 3 out of 4 of the following, but it's not requiring specifically symbols(character composition). If you were to choose Lowercase, Uppercase, Numbers, for your password then 'symbols/character compositions' become optional/not required.

    The docs are saying the same thing, it's just AzureAD requires a password to meet 3 out of 4 of those requirements. Additionally, the O365 doc is recommending those password requirements for admins, while AzureAD is requiring it for all users.

    Hope this helps,

    James

    0 comments No comments