Password policy in Azure AD

  • 發行項

Updated: June 8, 2015

Applies To: Azure, Office 365, Windows Intune

Note

This topic provides online help content for cloud services, such as Microsoft Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

This topic describes the various password policies and complexity requirements associated with the user accounts stored in your Azure AD tenant.

UserPrincipalName policies that apply to all user accounts

Every user account that needs to sign in to the Azure AD authentication system must have a unique user principal name (UPN) attribute value associated with that account. The following table outlines the polices that apply to both on-premises Active Directory-sourced user accounts (synced to the cloud) and to cloud-only user accounts.

Property

UserPrincipalName requirements

Characters allowed
  • A – Z

  • a – z

  • 0 – 9

  • . - _ ! # ^ ~

Characters disallowed
  • @

  • Cannot contain a dot character '.' immediately preceding the '@' symbol

Length constraints
  • Total length must not exceed 113 characters

    • Total length must not exceed 113 characters

    • 64 characters before the ‘@’ symbol

    • 48 characters after the ‘@’ symbol

Password policies that apply only to cloud user accounts

The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

Property Standard strength passwords Strong passwords

Characters allowed
  • A – Z

  • a – z

  • 0 – 9

  • @ # $ % ^ & * - _  + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;

Characters disallowed
  • Unicode characters

  • spaces
  • Unicode characters

  • spaces

  • Cannot contain a dot character '.' immediately preceding the '@' symbol

Password restrictions
  • 8 characters minimum and 16 characters maximum
  • 8 characters minimum and 16 characters maximum

  • Requires 3 out of 4 of the following:

    • Lowercase characters

    • Uppercase characters

    • Numbers (0-9)

    • Symbols (see password restrictions above)

Password expiry duration

Default value: 90 days

Value is configurable using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.

Password expiry notification

Default value: 14 days (before password expires)

Value is configurable using the Set-MsolPasswordPolicy cmdlet.

Password Expiry

Default value: false days (indicates that password expiry is enabled)

Value can be configured for individual user accounts using the Set-MsolUser cmdlet. See Set a password to never expire for instructions.

Password history

Last password cannot be used again.

Password history duration

Forever

Account Lockout

After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period. Further incorrect passwords will result in an exponential increase in the lockout time period.

See Also

Concepts

Manage Azure AD using Windows PowerShell