Azure AD Password Policy: Master the Essentials for Enhanced Security

Learn about the importance of Microsoft Azure AD (Entra ID) password policies and how to customize them for optimal security and usability.

One of the main functions of Microsoft Azure AD (Entra ID) is user authentication, and passwords are the primary authentication method. As a result, passwords are the first line of defense against unauthorized access. 

Microsoft developed Azure AD (Entra) password policies to ensure users follow industry best practices for password complexity, length, and age. Administrators can enable features like multi-factor authentication and conditional access to bolster security. Passwordless authentication is an alternative to MFA and is gaining momentum because it provides a more seamless user experience. Getting these Azure AD password policy settings right can help organizations strike the right balance between security and usability. 

This article reviews the default Azure AD password policy and what your organization can customize. We also cover common password hacking tactics and review Azure AD password policy best practices such as self-service password reset, multi-factor authentication (MFA), and passwordless authentication.

Summary of key Azure AD password policy concepts

The table below summarizes the Azure AD password policy concepts and best practices this article will explore in more detail.

ConceptDescription
Understand how passwords get hackedMicrosoft has experience protecting millions of user accounts against password attacks, and this experience led to the Azure AD password policy. Unfortunately, password-only authentication is vulnerable to breach, phishing, malware, social engineering, and hammering attacks.
Default Azure AD password policyMicrosoft cloud-only accounts use a predefined password policy that follows recommended best practices, such as passwords being at least eight characters long and not expiring.
Eliminate weak passwordsBanning common passwords is highly effective in preventing users from using weak passwords. Requiring users to change their passwords can lead to weaker password use.
Provide self-service password resetUsers will inevitably forget their passwords. Self-service password reset helps users regain access without burdening administrators or help desk staff.
Enable multi-factor authentication (MFA)MFA is a robust defense mechanism against most password attacks. Combining MFA with conditional access policies can improve security and maintain a streamlined sign-in experience.
Consider passwordless authentication Passwordless authentication replaces passwords with safer authentication factors. The Microsoft Authenticator application provides a passwordless capability for Microsoft Entra ID tenants.

Manage, Monitor & Recover AD, Azure AD, Office 365

Inline promotional card - default cards_Img3

Unified Console

Use a single tool to administer and secure AD, Azure AD, and Office 365

Inline promotional card - default cards_Img1

Track Threats

Monitor AD for unwanted changes – detect for security or critical functions

Inline promotional card - default cards_Img2

Instant Recovery

Recover global enterprise-wide Active Directory forests in minutes, not days 

Understand how passwords get hacked

Microsoft sees over 10 million username/password pair attacks daily, giving them a unique vantage point to recommend how to protect passwords. The following table summarizes various types of password attacks using these parameters:

  • Frequency – indicates how common the tactic is
  • Efficacy – indicates how effective the tactic is
  • The remaining columns indicate whether using unique, long, or complex passwords, rotating passwords, or MFA is effective against a tactic.
TacticDescriptionFrequencyEfficacyUniqueLongComplexRotateMFA
BreachAn individual or group steals sensitive data, including username and hashed password information.90%↑↑YesYesYesNoYes
PhishingWebsites masquerading as trustworthy entities to lead you to divulge sensitive information.9%↑↑YesNoNoNoYes
MalwareMalicious software that spies on you and can include keystroke logging.↑↑YesNoNoNoYes
Social engineeringPretending to be a support agent to obtain sensitive information from you.<1%YesNoNoNoYes
HammeringHackers take a common list of passwords and try them against a list of user accounts.↓↓YesYesYesNoYes
Spear phishingHackers craft messages to lure you into downloading malicious software or visiting a malicious link.↑↑YesNoNoNoYes
Proof compromiseYour alternative email or phone is hacked, meaning your MFA is compromised.↑↑NoNoNoNoNo

Table summarizing the various types of password attacks. (Source)

How to create strong passwords

Microsoft AD (Entra) recommends that administrators avoid following these anti-patterns and follow these successful patterns.

Anti-patternsSuccessful patterns
  • Requiring long passwords leads users to adopt poor behavior when remembering passwords.
  • Requiring the user to have multiple character sets can cause users to pick passwords in predictable ways, e.g., a capital letter in the first position or a symbol in the last position.
  • Password expiry policies can drive users into predictable password patterns like cycling a number. Although mandated password changes are common, and Azure AD password policies support password expiry, research recommends against this practice.
  • Banning common passwords reduces your organization’s susceptibility to brute-force password attacks.
  • Educate users not to reuse their passwords, especially not to use organizational credentials on social sites.
  • Enforcing multi-factor authentication (MFA) is a strong defense against password-based attacks.
  • Risk-based MFA allows you to maintain a strong security posture while providing a low-friction sign-in environment for legitimate users.

Default Azure AD password policy

Microsoft cloud-only accounts use a predefined password policy that administrators cannot change. The only items you can change are the password expiry duration in days and whether or not passwords expire. 

The following default Azure AD password policy applies to all user accounts in Microsoft Entra ID. The password policy can also be applied to user accounts synchronized from an on-premise AD DS environment using Microsoft Entra Connect by enabling the EnforceCloudPasswordPolicyForPasswordSyncedUsers setting.

The Azure AD default password policy aligns with Microsoft’s password guidance, and we recommend that you follow it. 

Password propertyPassword requirements
Characters allowed

A – Z

a – z

0 – 9

@ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < >

Blank space

Characters not allowedUnicode characters
Password restrictions

A minimum of 8 characters and a maximum of 256 characters.

Requires three out of four of the following types of characters:

– Lowercase characters

– Uppercase characters

– Numbers (0-9)

– Symbols (see the previous password restrictions)

Password expiry duration (Maximum password age)Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. 
Password expiry (Let passwords never expire)

Default value: false 

(indicates whether passwords have an expiration date).

Password change historyThe last password cannot be reused when the user changes a password.
Password reset historyThe last password cannot be reused when the user resets a forgotten password.

Default Azure AD password policy (Source)

Organizations can further enhance security by focusing on: 

  • Educating users to use unique passwords across their online accounts, especially for your organization
  • Implementing MFA
  • Using passwordless authentication

Manage, Monitor & Recover AD, Azure AD, M365, Teams

PlatformAdmin FeaturesSingle Console for Hybrid
(On-prem AD, Azure AD, M365, Teams)
Change Monitoring & AuditingUser Governance
(Roles, Rules, Automation)
Forest Recovery in Minutes
Microsoft AD Native Tools    
Microsoft AD + Cayosoft

Provide self-service password reset

Enabling users to change or reset their passwords reduces the burden on administrators and help desk staff. Instead of logging a support ticket, a self-service password reset allows users to unblock themselves and return to work.

Self-service password reset scenarios

The following table outlines three self-service password reset scenarios and which Microsoft Entra ID license is required.

FeatureMicrosoft Entra ID FreeMicrosoft 365 Business StandardMicrosoft 365 Business PremiumMicrosoft Entra ID P1 or P2
Cloud-only user changing their password
Cloud-only user resetting a forgotten password 
A user synchronized from an on-premises directory trying to change or reset their password.  

The table outlines different select-service password reset scenarios. (Source)

Cayosoft Administrator for robust self-service password reset

Cayosoft Administrator provides complete capabilities for self-service password reset in cloud and hybrid Microsoft AD environments. A significant source of frustration for users, administrators, and help desk staff is dealing with expired passwords and account lockouts. Cayosoft Administrator provides the capability to send:

These notifications help to reduce help desk calls/tickets by reminding users to make changes themselves.

Eliminate weak passwords

Bad actors exploit weak passwords because they include common phrases, predictable patterns, or widely used combinations. 

The most common weak passwords include:

  • 123456
  • password
  • qwerty123

Using weak passwords leaves your users open to password spray attacks. These attacks use a few commonly used passwords against many accounts. Targeting many accounts with only a few password attempts minimizes the chance of triggering account lockouts. To protect your organization against these attacks, block weak passwords and create a custom banned password list.

Block weak passwords

Microsoft Azure AD (Entra ID) Password Protection detects and blocks known weak passwords, and you can customize them with your own banned password list. We recommend that this includes terms specific to your organization, such as:

  • Brand names
  • Product names
  • Locations, e.g., the company HQ
  • Company-specific internal terms and abbreviations

Custom banned password list

Organizations using Microsoft Entra ID already benefit from Microsoft’s global banned password list. To enable a custom banned password list, visit the Microsoft Entra admin center and then:

  1. Browse to Protection 
  2. Authentication methods, then Password protection
  3. Set the option to Enfore custom list from No to Yes
  4. Add strings per line to the Custom banned password list
The image shows an example of adding entries to the custom banned password list. (Source)

Administrators can add 1,000 terms to the custom banned password list. Remember that the list is case-insensitive, and Microsoft’s password validation algorithm blocks weak variants and combinations. Your custom banned password list should only include key base terms. For example, for the base term “michigan” variations like mIchIgAn, michigan@, MichiganHQ or !Michigan will also be blocked. 

In a hybrid environment, you can extend the security benefits of Microsoft Entra Password Protection into your AD DS environment.

Cayosoft password enforcement and protection

Third-party tools like Cayosoft Administrator enable you to enforce stronger password policies for privileged accounts, which may be required by your organization’s security team or industry compliance requirements. 

Cayosoft Guardian will identify privileged accounts with weak password policies in on-premise AD, hybrid AD, and cloud Entra ID environments. Furthermore, Cayosoft Guardian actively monitors for password-based attacks, like password spray attempts.

Watch demo video of Cayosoft’s hybrid user provisioning

Enable multi-factor authentication

Password-only authentication leaves your organization vulnerable to password-based attacks against your user accounts. Multi-factor authentication (MFA) safeguards against password attacks by requiring a second form of authentication. However, even with MFA enabled, you must educate your users to avoid them being tricked into accidentally approving MFA requests. MFA fatigue or MFA bombing attempts to trick users into approving requests, and the Microsoft Digital Defense Report 2023 reported approximately 6,000 MFA fatigue attempts per day. Even so, based on Microsoft’s studies, your account is more than 99.9% less likely to be compromised if you use MFA.

The image shows examples of single authentication vs. MFA.

Security defaults

A quick way to benefit from MFA is to enable security defaults in Microsoft Entra ID, which allows MFA via Microsoft Authenticator for all users. Security defaults is a preconfigured security feature that is available to Microsoft Entra ID Free tenants.

While this is a convenient way to benefit from MFA, you need to consider whether all of your users can use MFA. Some users may be restricted from carrying a mobile device. Furthermore, emergency access and service principals should be excluded from requiring MFA. Replace service principals in scripts and code with managed identities to handle credentials automatically.  

Microsoft Entra Conditional Access requires a Microsoft Entra ID P1 or P2 license. A basic level of security is available via security defaults for free to cover the following scenarios:

Specific users

MFA can be enabled for specific users and is available to Microsoft Entra ID Free tenants. If your organization has only a small number of users, this is a viable approach to benefit from MFA and control which user accounts it applies to.

Conditional access policies

Conditional access policies, which consist of assignments and access controls, provide a flexible way to decide whether MFA is required to authenticate a user.

The image shows an example of defining a conditional access policy. (Source)
  • Assignments control which users, applications, devices, and locations the policy applies to. The assignments also include conditions that control whether the policy is used or not. For example, a conditional access policy can be applied only to guest users within your Microsoft Entra ID tenant or users identified as a risky sign-in.
  • Access controls are split into grant, block, and session options.
    • Grant enforces one or more controls when granting access. For example, Require multifactor authentication (Microsoft Entra multifactor authentication)
    • Block prevents a user from signing in. For example, you can block access when a user uses a legacy authentication method to sign in.
    • Session enforces restrictions within specific cloud applications. For example, you can block the download, cut, copy, and print of sensitive documents from unmanaged devices like an employee’s personal PC.  

Conditional Access requires a Microsoft Entra ID P1 or P2 license. Microsoft provides several conditional access policy templates.

Cayosoft streamlines Microsoft Entra ID management and recovery

Cayosoft provides a unified solution for securing and managing all your Microsoft Entra ID directories and reporting on users’ MFA status. To help you monitor MFA enrollment, a report of users and MFA status can be created on a schedule.

In addition, Cayosoft Guardian delivers real-time monitoring capabilities and provides administrators with detailed logs to understand unauthorized actions. These logs can help develop conditional access policies.

Cayosoft Guardian provides recovery of conditional access policies. Whether changes are made by accident or malicious actors, Cayosoft Guardian can restore a previous good state to Microsoft Entra ID. This functionality is not available natively in Microsoft Entra ID, if a conditional access policy is accidentally changed or deleted it is treated as a hard deletion.

Consider passwordless authentication

Given all the issues with passwords and the various ways bad actors look to exploit password-protected systems, passwordless authentication is gaining momentum because it combines high security with convenience. Meanwhile, MFA can frustrate users because it requires a second step before sign-in.

Passwordless authentication can provide higher security and convenience to users. (Source)
Passwordless authentication can provide higher security and convenience to users. (Source)

Passwordless authentication replaces passwords with either a:

  • Windows 10 Device, phone, or security key
  • Biometric or PIN

Microsoft Entra ID has the following passwordless authentication options:

  • Windows Hello for Business
  • Platform Credential for macOS
  • Platform single sign-on (PSSO) for macOS with smart card authentication
  • Microsoft Authenticator
  • Passkeys (FIDO2)
  • Certificate-based authentication

Microsoft Authenticator

Using Microsoft Authenticator is a free and simple way to explore whether passwordless authentication is beneficial to your organization. Microsoft Authenticator enables your user’s phone to become a passwordless authentication device. A notification is sent to their phone, and an employee is granted access after matching a number displayed on the screen to one on their phone within the Authenticator app. To get started, follow the enable passwordless sign-in with Microsoft Authenticator guide.

Example of Microsoft Authenticator passwordless authentication. (Source)
Example of Microsoft Authenticator passwordless authentication. (Source)

Learn why U.S. State’s Department of Information Technology (DOIT) chose Cayosoft

Last thoughts on Azure AD password policy

Password fatigue is a reality due to the sheer number of online accounts an individual has. For organizations using Microsoft Entra ID with user passwords, the default Azure AD password policy follows industry password best practices. However, if your organization only uses password-based authentication, you are open to password-based attacks.

Educating your users to avoid reusing their passwords across multiple sites and eliminating weak, easily guessable passwords using Microsoft Azure AD (Entra ID) Password Protection will improve security against some password-based attacks. However, you should implement MFA via security defaults or conditional access policies to provide further security to your organization.

Passwordless authentication is an alternative to password-based systems. It brings the security benefits of MFA without the inconvenience of a multi-step sign-in process for your users. 

Whatever your authentication approach, third-party tools like Cayosoft Administrator help improve the operational efficiency of your Azure AD (Entra) environments. Cayosoft Guardian also provides threat monitoring and restore capabilities not natively available in Microsoft Entra ID. 

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Explore More Chapters