Guide to Setup Office 365 Password Policy in Azure AD Password Protection.

On Day 23 of Cybersecurity awareness month, learn to implement strong Office 365 password policies and prevent suspicious attacks within your organization. Stay tuned for more blogs in the Cybersecurity blog series. 

Recently, these words have been buzzing around a lot among organizations, 

Company’s user data breached!  

Password theft occurred! 

MFA attacks have increased! 

In these cases, users tended to be broken out in the first step itself, that is while authenticating with PASSWORDS! 

• Does our password system lack security and safety?  
• Does the organization bear responsibility for not implementing the secured password policy?  
• Or is it the users’ fault for having easily breakable and guessable passwords?  

The answer to all the above questions is YES! Most organizations don’t take passwords seriously, and users probably use easy-to-remember passwords. So, there happens the rise of numerous brute-force attacks, password spraying, etc.  

Considering these points, let’s explore where passwords failed and what steps you can implement to keep your password secure online. 

Why do Passwords Fail? 

You have a secret that can ruin your life. It’s not a well-kept secret, either. Just a simple string of characters that can reveal everything about you. 

Yes, absolutely pointing out the passwords! Passwords are intended to protect accounts, but where did they fall short? The best way to explain how to choose a good password is to show how they’re broken. So, let’s look at some weak spots where passwords failed to keep the data secured. 

1. Is Office 365 password expiration policy a good approach? 

Previously, organizations have used Microsoft 365 password expiration policy to enforce strong password practices. Office 365 password expiration policy asks users to update their passwords once every so often. Consequently, frequent password updates made users set weaker, easier-to-guess passwords, which are much easier for hackers to crack. 

 So, Microsoft came forward and demanded users drop the Office 365 password expiration policy. 

2. Hackers’ Entry Point: Easy-to-Remember and Guessable Passwords:  

Avast survey reveals that 83% of Americans are using weak passwords and reusing passwords to protect multiple accounts. Also, Google discovered that over 53% of users have set passwords that include their names, birthdays, and pets’ names. Often, these passwords are easy to find, thus resulting in more password-related breaches. 

3. Sharing is caring doesn’t work here: 

Sharing is caring is best for Office 365 collaboration and integration, but not when it comes to your account security. According to Google, 43% of users have shared their passwords with other users or reused them repeatedly, and some have shared them with other services or alternative email accounts.  

4. Pen and Paper don’t help much with password security:  

Even when people use much stronger passwords that are hard to remember, they fail at one point. The Ponemon Institute survey reports that 42% of IT professionals manage their passwords using sticky notes. Administrators responsible for millions of dollars are managing their passwords with sticky notes. That’s pretty surprising, isn’t it? So, having strong passwords and pasting them down doesn’t work well. 

5. Privileged account failures: 

Here comes the worst! Though Office 365 privileged accounts are the most sensitive, admins don’t take much concern about password security and reuse passwords or share them with fellow admins for use. 

Recommendations to Improve the Office 365 Password Policy

We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both. Ultimately, protecting someone else’s data protects all of us. 

– Tim Cook 

So, now first things first: It’s the admin’s responsibility to implement a secured password policy system in Microsoft 365. Fortunately, Office 365 has a way of managing and securing your Office 365 passwords. As part of Azure AD, Azure AD password protection prevents users from setting common, weak, or risky passwords. 

1. Default Office 365 Password Policy in Azure AD Password Protection.  

2. Customize the Azure AD Default Password Policy. 

Default Office 365 Password Policy in Azure AD Password Protection: 

Azure AD password protection has a default Azure AD password policy. This primary security measure prevents user identity breaches and increases network security.  

 What is Azure AD Password Protection in Office 365?  

Azure AD password policy applies to all user accounts that are created & managed directly in Azure AD. It describes what a secure password should look like, when it should expire, how many attempts should be made before a lockout occurs, and what can be excluded from the organization’s password policy system. 

Note: Azure AD password policy is applied to cloud-only Office 365 accounts. User accounts synchronized from an on-premises AD environment using Azure AD Connect are not affected by this policy unless you enable using the cmdlet EnforceCloudPasswordPolicyForPasswordSyncedUsers.  

Following are the default Azure AD password policies enabled. Users cannot change these settings. Administrators can modify only a few password settings. 

S.No	PROPERTIES	REQUIREMENTS
1.	Password length	Min – 8 Characters Max – 256 Characters
2.	Characters allowed	1. A – Z  2. a – z  3. 0 – 9  4. @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < >  5. blank space
3.	Characters not allowed	Unicode characters.
4.	Restrictions for passwords.	Should satisfy three out of the four of the following:  1.Lowercase characters.  2. Uppercase characters.  3. Numbers (0-9).  4. Symbols (Refer to the previous password character usage restrictions).
5.	Default password expiration.	Default count: 90 days  Admins can change the default range– 1. PowerShell: Set-MsolPasswordPolicy -ValidityPeriod 60 -DomainName <DomainName>  2. Office 365 Admin Center: Included a detailed description below. Click here to view.
6.	Password expiry notification.	Default count: 14 days before the password expires.  Admins can change the default range: Using the Set-MsolPasswordPolicy cmdlet, admins can modify the value. Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 15 -DomainName <DomainName>
7.	Password never expires. (Recommended setting by Microsoft)	Default: False (Not set)  Admins can change the default value: Using the Set-MsolUser cmdlet, admins can configure individual user accounts.
8.	Password change history.	Last password cannot be used again when the user changes the password. (Will show error if attempted)
9.	Password reset history.	The last password can be used, if the user tries to reset the forgotten password.
10.	Account lockout threshold.	After 10 continuous failed login attempts, the account locks. (For detailed information – click here to view)
11.	Account lockout duration.	It will be locked for 60 seconds. (Increases based on future login attempts)

Customize Azure AD Default Password Policy: 

Now, let’s take a closer look at the detailed steps to update the following properties in this section.  

1. Set password to never expire in Office 365 admin center. 
2. Manage the Azure AD smart lockout values. 

Manage Password Expiration Policy in Office 365 Admin Center:

1. Open the Microsoft 365 admin center and select Settings –> Org Settings.   

2. Then, click Security and Privacy tab at the top. (Only the Azure AD global admins can see this tab.)   

3. From the Security and Privacy tab, select the Password expiration policy.    

• Initially, admins might have set a specific day for password expiration. ‘Set passwords to never expire’ can be checked if you want your Office 365 user’s passwords to never expire. 

Manage the Azure AD Smart Lockout Values: 

Integrating Azure AD Password Protection and Smart Lockout into existing security measures within an organization will strengthen its security mechanisms. By default, the smart lockout option is always enabled. Also, an Azure AD Premium P1 or P2 license is required to update lockout threshold values and durations.  

The smart lockout system prevents hackers from guessing passwords by using cloud intelligence. With this intelligence, attackers and other unknown sources can be differentiated from legitimate sign-ins. Therefore, the smart lockout prevents attackers from accessing your accounts while letting your users log in. Furthermore, if a password is entered too many times incorrectly, the credentials can no longer log in, thereby reducing the opportunities for an attacker to access the user accounts. 

Follow the steps below to manage the Azure AD smart lockout values:  

1. Open the Azure portal.  

2. Then navigate the path: Azure Active Directory –> Security (Under manage section) –> Authentication methods (Under manage section) –> Password Protection (Under manage section).  

3. Now, set the Lockout threshold. It indicates how many failed sign-in attempts an account can have before its first lockout occurs. (Setting a threshold of 5 or less might allow you to detect suspicious attacks earlier.) 

4. Next, set the Lockout duration. (Default is 60 seconds)  

Note: The lockout duration increases gradually if an account locks out repeatedly.  

As soon as the smart lockout threshold is reached, you’ll see this error message:   

Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin. 

Reduce Weak Passwords with Azure AD Password Protection 

Considering the following guidelines will help you develop a strong password policy suitable for your organization.   

Guidelines for Office 365 Password Complexity: 

1. The first and foremost step that is to be carried out is educating your users. Make sure your users use different passwords for work and personal accounts.  

2. Users shouldn’t be forced to change their passwords frequently.  

3. Prevent users from re-using old passwords. 

• By default, Office 365 cloud-only users cannot re-use their last password when changing it.  
• If users are synchronized from the on-premises AD, then you can prevent them from re-using passwords by creating a custom password policy.   

4. Enable and configure multi-factor authentication across your organization.  

5. Ban custom passwords in Azure AD password protection to prevent users from using guessable passwords. (Available only in Azure AD Premium P1 or P2 license)  

6. Guide users to limit password exposure: 

Normally, user re-uses the same passwords for multiple services and personal applications if they stick with a strong and convenient password. 

However, this is the riskiest! When hackers get access to one service, they tend to exploit all other user-related services as well. Therefore, using organization passwords on external websites can substantially increase password compromise. So, it is advisable to have a unique password for each account/service. Even if your account is hacked, an attacker won’t be able to access the other services. 

Finally, now it’s time to wrap things up! Hopefully, we’ve covered the secured password strategy and ways to implement the password policy in great detail.  

Authentication is similar to a lock; nobody gets in without keys 

So, get started now, implement the strongest password strategies, and encrypt your entry keys!