Azure AD (Cloud Only) PCI 8.2.5 Compliance?

Andres Felipe Mejia Sanchez 21 Reputation points

Hi there. For my company i'm using Azure AD (Cloud Only) for users access control. PCI 8.2.5 says that i have to control that users can not user their last 4 passwords, but i see that Azure AD (cloud only) just prevent using the last password, not the 4 before.

In addition to that, when i check the Microsoft PCI AOC it says that this product is PCI compliance, so i do not understand that limitation (configurable password history policy) in the product (Azure AD)

This means that i could be PCI Not Compliance because of this Azure AD limitation.

Do you know if there is other way i can be compliance about PCI 8.2.5? or any compensatory control?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,533 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Westall 161 Reputation points

    Hey @Andres Felipe Mejia Sanchez

    Unfortunately the documented password policy limits are to remember the last password only.

    There is a uservoice suggestion for this item here.

    For your options to implement other controls, you could do the following. Make sure to discuss with your PCI compliance experts first ;)

    Personally, I would suggest going password-less - I use a yubikey & windows hello for all my sign-ins and the experience is great.

    1 person found this answer helpful.