Disable password complexity requirements as per Memorandum M-22-09?

ToffenDask 1 Reputation point

The US Federal Government’s Office of Management and Budget (OMB) Memorandum M-22-09 mandates "the removal of the requirement for special characters and numbers" in password policy. Azure AD still require passwords to include three out of the four character classes - is there any way around this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,771 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 22,186 Reputation points Microsoft Employee

    Hi @ToffenDask ,

    For CBA, we should now start with Azure AD CBA (Preview) as opposed to the documentation on the legacy pattern with ADFS.

    For disabling password complexity, this can be accomplished with Graph/Powershell.

    We didn’t likely add this level of detail for IA-05(1) within the context of FedRAMP docs as NIST 800-63B language was softer then M-22-09 (“No other complexity requirements for memorized secrets SHOULD be imposed.”)

    Please let me know if you have any questions.

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,

    0 comments No comments