Protecting Passwords in Microsoft 365

We all know what passwords are and how important they are to keep secret but new research on when to expire passwords may surprise you.

By default, passwords are set to never expire in Microsoft 365. Microsoft’s current research strongly shows that requiring passwords to be changed does more harm than good. They drive users to re-use passwords including updating old passwords in ways that are easily guessed, choose weaker passwords. Microsoft strongly recommends enabling multi-factor authentication. But either way, Microsoft has made it easy for you to set a password expiration policy in Microsoft 365.

Setting passwords to expire in Microsoft 365

To set your Microsoft 365 cloud-only accounts passwords to expire is easy.

  1. Go to Microsoft 365 admin center > Settings > Org settings > Security & privacy > Password expiration policy .
  2. Click Set user passwords to expire after a number of days.
  3. Set the Days before passwords expire & Days before a user is notified about expiration.
  4. Click Save.
Set passwords to expire in Microsoft 365

Setting passwords of synced users to expire in Microsoft 365

If you followed the instructions above, you’ve now set all your cloud-only accounts passwords to expire but what about the synced accounts? Synced users are set to passwords never expire in Microsoft 365. That means the password synchronized to the cloud is still valid after the on-premises password expires, in other words, the user can continue to login to Microsoft 365 using an expired password. If a user has a synchronized account and never touches the domain, they’ll be able to continue to sign in to Microsoft 365. So now let’s set the synced accounts passwords to expire.

  1. Open PowerShell and connect to Microsoft 365 using the Connect-MsolService
  2. Run “Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true
  3. When prompted to continue with this operation? Click Yes.
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers

Resetting passwords for cloud-only users

Sometimes, users will forget their passwords. It happens. Microsoft offers two options To reset a cloud-only user's password: self-service password reset (SSPR) or an admin can reset the password for the user. To reset a password for a user perform the following:

1. Log into the Microsoft 365 admin center > Users > Active users

2. Search for the user that needs their password reset and click on them.

3. Click Reset password.

Reset a Microsoft 365 cloud-only user's password

4. Select the options you want. Then click Reset password.

Reset Microsoft 365 user password

Important note: The password administrator can reset passwords for non-administrator users. The password administrators can also reset the passwords for the following roles: Directory readers, Guest inviter, and Password administrator. Only Global admins can reset passwords for other administrators.

Password lockout

Microsoft has created a smart lockout system that helps lock out bad actors that try to guess your users’ passwords or use some other type of brute force method. Smart lockout can detect if it’s a valid user attempting to log in to their account and treats them differently than attempts that come from attackers. Attackers will get locked out, while your users can continue to access Microsoft 365.

When a user is locked out due to entering their password wrong too many times, they'll see the following message: “Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.”

Account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.

How does smart lock work?

By default, Microsoft 365 will lock out an account for one minute after 10 failed attempts (or 3 for US Government). The account will automatically lock again after each failed sign-in attempt for one minute or longer.

Smart Lockout uses a familiar location vs an unfamiliar location to differentiate between a bad actor and a genuine user. Unfamiliar and familiar locations both have separate lockout counters.

Smart lockout tracks the last three bad password hashes and won't increment the lockout counter for the same password. For example, let's say a user’s password was Password321! and recently changed their password to Password543!. Then the user attempts to log into their account using Password321! three times. That would only count as one attempt.

Note: This does not work if you are configured using pass-through authentication since the authentication is happening in your on-premises environment and not in Microsoft 365.

Important: Administrators can't unlock a user's account if they've been locked out. The user must wait for the lockout duration to expire or they can use the self-service password reset (SSPR) from a trusted device/location.

Editing the Password lockout settings

The password lockout settings are simple in Microsoft 365. From the password protection settings, you can set the lockout threshold, lockout duration in seconds, and configure a banned password list. The banned password list is a custom list of passwords that your users won't be able to use when setting their passwords. To get to the settings follow the below instructions:

1. Go to Azure AD admin center and login with admin credentials

2. Go to Azure Active Directory > Security > Authentication methods.

Access smart lockout settings

3. Click Password protection

4. Update the password protection policies and click Save.

Edit smart lock settings

Self-service password reset

Now, I've mentioned self-service password reset (SSPR) a couple of times now so I thought I should explain. SSPR allows a user to reset their password without admin intervention. You've used it before on websites. For example, if you forget your password for Twitter or another web application you can click a reset password button and it will email your password. The same thing can be set up for Microsoft 365. By default, it's disabled for your users and enabled for your admins, so let’s enable it for everyone.

1. Go to Azure AD and sign in with admin credentials.

2. Click Azure Active Directory > Password reset (you may need to scroll down to see it).

Open Password Reset options in Azure AD

3. Click All > click Save.

Enable self service password reset

While you’re here you should check out the other options available.

Self-service password reset options in Microsoft 365

How do you block a user from signing into Microsoft 365 when they are locked out of on-premises AD?

Now that we understand the Microsoft 365 defaults and adjusting the settings what about synchronized users? What if we have our on-premises AD tuned to just how we like it, the correct amount of password attempts gets a user locked. How do we apply our on-premises password protection to all Microsoft 365 synced users?

The answer is easy, by having the users authenticate to the on-premises AD. Using Pass-through authentication every time a user wants to authenticate to your Microsoft 365 tenant they’ll have to authenticate to your on-premises environment. Then, the AD group policy will apply to their sign-ins.