Setting up Office 365 password policy & notifications guide
Table of contents
Over the past few years, network security has become a top priority for most companies. One of the first steps businesses would take to secure data stored in the cloud has been developing their password strategy, while password expiration policies used to be the industry’s go-to strategy.
Office 365 service suite has been no exception. Once every few months, Office 365 would ask users to update their passwords, as a part of the Office 365 password expiration policy. Therefore, passwords would be changed often, limiting the risks of leaks and using an obvious password. But it’s worth asking ourselves, considering the technological advances of these past few years, are password expiration systems still relevant?
The cybersecurity field itself has been closely looking at the question lately. This was heightened when the Microsoft security team went public with their decision to drop their password expiration policies. Their reasoning stated that by forcing users to change credentials too often, people would use simpler and simpler passwords, making them easy to predict and hack.
Their main argument was that password expiration policies as a whole drove people (both end-users and professionals) to bad password habits rather than making organizations safer. People already tend to pick easy and predictable passwords. Adding a layer of pressure by forcing them to change frequently would make them even easier to guess or hack since it translated into merely adding a one, two, or three sequential type passwords.
Overview of the Office 365 Password Policy: password length, complexity, expiry duration
The Office 365 password policy requires users to choose a password with enough complexity to be considered safe. The policy consists of three primary elements as follows:
- Password length. Maintain an 8-character minimum length requirement (longer isn’t necessarily better). Longer password requirements (greater than about 10 characters) can result in choosing predictable words or characters in a password.
- Password complexity. Difficult passwords include a mix of uppercase and lowercase letters (a-z, A-Z), base numbers (0-9), and non-alphabetic symbols (such as; !,@,#,_,-). Complex passwords should not include user names, birth dates, or other personal details as they are more prone to unauthorized access.
- Password expiry duration. This is set by default at 90 days; however, you can change the expiry date or set it never to expire.
Through Azure AD Password Protection, Microsoft provides dictionary capabilities to passwords. This feature is only available for customers that have chosen the Azure AD Premium subscription. There are two layers to the Microsoft solution:
- Global Banned Password List – Microsoft implemented a list of “commonly used and compromised passwords.” For added safety, Microsoft has not disclosed any details regarding the list’s contents. It’s free for cloud-only users, but demands Azure AD Premium P1 or P2 for users synchronized from on-premises AD DS.
- Custom banned Password List – This feature is only available for customers who have opted for an Azure AD Premium P1 or P2 subscription. It allows them to block a custom list of words from appearing in user passwords.
Changing Office 365 Password
As we have mentioned, Office 365 user passwords are set to expire by default. You will be notified that your password has expired when you sign in.
When changing your Office 365 password, the following guidelines should be taken into consideration:
1. The new password needs to have a minimum of 8 characters and should not exceed 256 characters
2. It should comprise at least 3 of the following:
- Lowercase characters
- Uppercase characters
- Numbers (0-9)
- Symbols such as: ! @ # $ % ^ & * – _ + = [ ] { } | : ‘ , . ? / ` ~ “ < > ( ) ;
When should passwords be changed?
There are certain circumstances that require you to change your password. Here is when:
- If you believe your password has been stolen. In this case, you should also ensure that you have changed it on all of your accounts where you used the same password.
- If you gave your password to a colleague or friend.
- If you saw someone peeping as you were typing your password.
- If you believe you might have just provided your password to a phishing website.
- If the password you are currently using is weak.
Regardless of the reason that has determined you to change it, select a new password that is totally unrelated to the old one and do not use a password from another account.
How to do a Office 365 Self-Service Password Reset
What are the steps you need to make if you forgot your password?
The Azure Active Directory (Azure AD) Self-service password reset (SSPR) feature provides users the ability to change or reset their password without an administrator’s involvement.
For the self-service password reset to work, users need to have verification methods predefined. Some of these methods might not be available, depending on how the administrator has set up your company’s account. You can reset your password using:
- email address
- text message
- phone number
- security questions
- notification from your authenticator app
- code from your authenticator app
Note that administrators are not allowed to use security questions for resetting their passwords, so they will not see these options.
Here are the steps users need to take for setting the verification methods:
- When logged in to Office 365, choose your name displayed in the upper right corner. Go to View Account > Security Info.
- Select Add Method and make sure your additional contact information like email and phone number are entered correctly. If not, this is the time to make these changes.
Now, in case a user’s account is locked, or you just forgot your password, all you need to do is follow a few steps to reset the password. Here are the steps:
- When prompted to enter a password while logging into the Office 365, click on Forgot my password.
- You will be redirected to a Get back into your account screen. Type Email or Username, and enter the characters displayed in the box below in order to prove you’re not a robot, and then select Next.
- Pick one of the available methods to verify identity and change password.
- Now you’re able to log in with a new password.
Office 365 administrators are enabled for a self-service password reset by default, while the password reset always requires a two-gate password policy. If you are an admin and you have forgotten your password, you can follow Forgot my password steps described above. In case you are not able to sign in, you can ask a different global admin from your organization to reset your password or call Microsoft Support.
If you use hybrid AD environment, and the self-service password reset and password writeback options are enabled, the user can change the password on his own whether it’s from the cloud or from the on-prem AD. If a user can’t change his own password for some reason, AD or Azure AD admin can create him a temporary password. If password writeback is not enabled, user or admin can only change the password in on-prem environment.
What are Successful Office 365 Password Patterns
Here is a list of useful recommendations that you can implement within your enterprise to foster password diversity.
Ban common passwords
Such passwords come in all shapes and sizes and are still surprisingly commonly used. This should be your primary requirement when users create their passwords because they’re the most sensitive to brute force attacks. Common user passwords include series like abcdefg, password, monkey, or qwerty.
Encourage users not to re-use organization passwords anywhere else
It is human to want to re-use the same passwords for different sorts of credentials, especially once you’ve stumbled onto a secure one that you can easily remember. However, this is one of the most important messages to get across your business. Using organization passwords on external websites significantly increases the likelihood that cybercriminals will compromise these passwords.
Enforce Multi-Factor Authentication registration
Start by ensuring that your users keep their contact and security information up to date (such as an alternate email address, a new phone number, or a device registered for push notifications); you can add a layer of security to any login. Encouraging, or even enforcing, multi-factor authentication will allow your users to quickly respond to security challenges and be notified of security events.
When implementing multi-factor authentication technology, the user needs to provide two or more different types of proofs of control associated with a specific digital identity; ensuring that they are the legitimate account owner.
Not only does this help users verify their identity if they ever forget their password, but it also ensures an extra step of difficulty if someone else tries to take over their account. Finally, it even provides an out-of-band notification channel in the case of security events such as login attempts or changed passwords. To learn more, read about how to set up multi-factor authentication.
Enable risk-based multi-factor authentication
Conditional Access is a feature of Azure Active Directory that provides admins the option to easily assign a policy across Office 365. Conditional Access policies are actually if-then statements. Whenever a user wants to access a resource, they have to complete an action. However, not all applications require the same level of security. Let’s consider the example of a payroll manager that has to access the payroll application and a company’s employer working in the cafeteria. The first one could be required MFA while the latest will not need to take any additional security steps.
Understanding Office 365 Password Recommendations
There are a few goals to keep in mind when trying to think of a new password:
- Resisting common attacks: The main goal can be reached through a few different choices, from educating users where they should enter passwords (trusted devices with good malware detection, secured websites) to choosing a password as complex as possible.
- Containing successful attacks: The second goal is limiting the exposure. Using a unique password for each account ensures that in case of a data breach, the hacker will not be able to access all the other services because the same password is used.
- Understanding human nature: Realizing that length, character, or change requirements all result in the normalization of passwords, which makes them easier to guess or crack.
How to Control Office 365 Users’ Password Expiration Policy
Office 365 accounts have a default password expiration policy of 90 days. If you want your users never to have to reset their passwords, you need to change Password expiration policy. Although you can set passwords to expire, it’s not recommended to do so because, as said before, it does far more harm than good and actually increases your risk exposure.
You can manage the password expiration policy via the Office 365 admin web interface. Here’s how:
- Step 1: Go to Office 365 admin center.
- Step 2: Once in the Office 365 admin center, go to Settings > Org Settings. You will only see this option if you are an Office 365 global admin.
- Step 3: Navigate to Security and Privacy tab.
- Step 4: Select Password expiration policy.
- Step 5: To delete password expiration, uncheck the box next to Set user passwords to expire after a number of days.
- Step 6: If you want to set passwords to expire, leave the Set user passwords to expire after a number of days box selected, and further change the following:
- 6. a) To change the expiration delay, type how often you’d like it to expire in the first box. Pick the number of days between 14 and 730.
- 6. b) In the second box, choose when users are notified that their password will expire. Pick the number of days between 1 and 30.,
- Step 7: Click Save.
Control the Password Expiration Policy per Single User
The Office 365 Admin Portal allows you to control the Global Password Policy for users; this means that you can select whether passwords expire, the days before passwords expire, and the days before a user is notified about the expiration.
Setting a Global Password Policy has many advantages, from security to in-house procedures. However, Microsoft won’t allow you to exclude a specific user from the Global Policy; for this, you’ll need an external tool. Think, for example, if you want to ensure a user retains its password when used as a connector for an application: in case the password expires, the connection will be disrupted, and the application might stop working. This is how to disable password expiration for a single user:
- Ensure you have installed the Azure AD PowerShell Module (you can get it here).
- Connect to Windows PowerShell with your global admin or password admin company administrator credentials.
- Execute the following command: “Set-AzureADUser -ObjectId -PasswordPolicies DisablePasswordExpiration“
Now, the password for that single user will never expire. You should be warned that the existing password’s age remains; this means that should you re-enable expiration at 90 days, any password that is 90 or more days old will have a password reset enforcement.
If you are looking to find out the status of user passwords and whether they are set to expire, you should use the following command:
Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
}
Note that people who only use the Outlook app won’t be required to change their Microsoft 365 password until it has also expired in the cache, which can often turn out to be a couple of days after the actual expiration date. As of now, there’s no workaround for this at the admin level.
Prevent the Last Password from Being Used Again
If users are synchronized from the on-premises AD to the Azure AD, you can prevent them from recycling old passwords by enforcing password history in on-premises AD. For Azure AD cloud-only users, the last password can’t be used again when the user changes it. This is a default policy that can’t be changed, and is applied to all cloud-only user accounts .
How to Audit Office 365 Users’ Password Policy Changes
With Syskit Point, you can audit admin activities such as policy or settings changes in the Exchange admin center. You’ll also be able to troubleshoot configuration issues and identify causes of security or compliance problems by performing security assessments of user logins. As a result, you will no longer have to worry about complying with regulatory policies such as HIPAA, GDPR, or FISMA.
By collecting important Office 365 audit logs, Syskit Point can display every permission, content, or configuration change in a simple and manageable way. It can help you boost security, stay compliant with governance policies, and detect malicious behavior thanks to audit reports. Exchange audit logs will also help you track Exchange Online admin and user activities.