Combined password policy and check for weak passwords in Azure Active Directory

Beginning in October 2021, Azure Active Directory (Azure AD) validation for compliance with password policies also includes a check for known weak passwords and their variants. As the combined check for password policy and banned passwords gets rolled out to tenants, Azure AD and Office 365 admin center users may see differences when they create, change, or reset their passwords. This topic explains details about the password policy criteria checked by Azure AD.

Azure AD password policies

A password policy is applied to all user and admin accounts that are created and managed directly in Azure AD. You can ban weak passwords and define parameters to lock out an account after repeated bad password attempts. Other password policy settings can't be modified.

The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.

The following Azure AD password policy requirements apply for all passwords that are created, changed, or reset in Azure AD. Requirements are applied during user provisioning, password change, and password reset flows. You can't change these settings except as noted.

Property Requirements
Characters allowed Uppercase characters (A - Z)
Lowercase characters (a - z)
Numbers (0 - 9)
Symbols:
- @ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < >
- blank space
Characters not allowed Unicode characters
Password length Passwords require
- A minimum of eight characters
- A maximum of 256 characters
Password complexity Passwords require three out of four of the following categories:
- Uppercase characters
- Lowercase characters
- Numbers
- Symbols
Note: Password complexity check isn't required for Education tenants.
Password not recently used When a user changes or resets their password, the new password can't be the same as the current or recently used passwords.
Password isn't banned by Azure AD Password Protection The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.

Password expiration policies

Password expiration policies are unchanged but they're included in this topic for completeness. A global administrator or user administrator can use the Microsoft Azure AD Module for Windows PowerShell to set user passwords not to expire.

Note

By default, only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see Connect AD with Azure AD.

You can also use PowerShell to remove the never-expires configuration, or to see user passwords that are set to never expire.

The following expiration requirements apply to other providers that use Azure AD for identity and directory services, such as Microsoft Endpoint Manager and Microsoft 365.

Property Requirements
Password expiry duration (Maximum password age)
  • Default value: 90 days.
  • The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.
Password expiry notification (When users are notified of password expiration)
  • Default value: 14 days (before password expires).
  • The value is configurable by using the Set-MsolPasswordPolicy cmdlet.
Password expiry (Let passwords never expire)
  • Default value: false (indicates that password's have an expiration date).
  • The value can be configured for individual user accounts by using the Set-MsolUser cmdlet.

Next steps