Password policy in Office 365 is much stricter and more secure than that of an on-premises application, so you no longer have to worry about setting and enforcing different authentication policies for your users. But still, you should align Office365 security settings with your overall enterprise security profile and posture.
In this blog post, I’ll highlight a few rules that should be helpful for IT admins when ensure Office 365 password policy security.
Rule #1: Stay on Top of Password Expiration
By default, the password expiration period is set for 90 days. The expiration period may be increased maximum to 730 days, but this practice is not advised as it may cause serious security risks to business-critical data.
Here’s how you can change the expiration day value:
- Sign in to the Office 365 administrative center and go to Settings / Security and Privacy.
- Click Edit.
- Type in the number of days for a password to be valid. For most organizations I recommend this be no longer than 90 days, although if you have two factor authentication enabled you can get away with longer periods of time without compromising your overall security profile too much.
- Optionally configure when users are notified about their passwords that will soon expire.
- Click Save to retain the settings.
For some accounts, like service accounts or logins used by multifunction devices to e-mail and save copies of documents scanned or faxed in, you might want to let those passwords never expire. These are typically very restricted accounts that can only do one or two things.
To get that configured, you will need to launch PowerShell and connect up to Office 365. Be sure you have both the Microsoft Online Services Sign-in Assistant for IT Professionals RTW software package as well as the Azure Active Directory Module for Windows PowerShell. Both packages are available from the Microsoft Download Center. Then, use the Connect-Msolservice cmdlet to connect to your tenant and use your credentials to authenticate.
Finally, issue the following command:
Set-Msoluser –UserPrincipalName copier@yourdomain.org -PasswordNeverExpires $true
To follow up, you can get a list of users whose passwords never expires by using:
Get-Msoluser | Select-Object UserPrincipalName, PasswordNeverExpires
NB! Beware that for accounts that you synchronize up to the cloud based on your on-premises Active Directory installation and deployment, the policies you have set and enforced on premises will carry over into the cloud and will not be affected by any changes you make in the cloud. Only cloud originating users can have their settings modified in the cloud.
Rule #2: Embrace the Two-Factor Authentication (2FA)
One of 2FA benefits is the possibility to protect a user’s account even if the password is hacked. If a user’s device is lost, the hacker still does not have the account password, so the impact of a loss is reduced quite a bit. Considering this, companies need to apply 2FA to Office 365 password policy setup. And here’s how it could be done:
- In the Office 365 Admin Center, go to Users / Active Users and click the ‘More’ menu
- Select ‘Setup’ azure multi-factor authentication
- Choose the Set up link next to ‘Set Multi-factor authentication requirements’, and then check the users for which you want 2FA enabled
- Choose ‘Enable’ on the right.
For users that use Outlook 2013 or earlier or other applications, you will need to establish an app password that bypasses 2FA since those applications don’t know how to read a 2FA prompt or pass on the one-time code up to Microsoft Azure.
- Go to the ‘Service settings’ link on the 2FA setup page
- Choose ‘Allow users to create app passwords to sign into non-browser applications’
- Users will have to generate their own app passwords for use in Outlook 2013 and earlier and any other applications that use the Office 365 account.
Office 2016 supports 2FA and so app passwords are unnecessary for it.
Remember that password complexity and regular password changes can help protect your data against security risks.
