https://www.sikich.com

Microsoft Password Recommendations Have Changed

Timothy Longueil

Jul 12 2019

2 min read

Over the past few months, Microsoft has changed its stance on password recommendations. Microsoft now recommends that passwords are not ever set to expire automatically. The reason for this is when users are required to change their password at a regular interval, e.g., every 90 days, they often use the same password but change only a number at the end. This leads to insecurity as the password could easily be a commonly guessed password, and the account would be vulnerable to hijacking.

Instead Microsoft suggests alternatives to automatically expiring passwords—including Azure Active Directory Password Protection, which is built into Microsoft’s cloud identity platform, and multi-factor authentication (MFA)—as ways to better secure your accounts and data.

Azure AD Password Protection helps eliminate bad passwords within your organization by banning specific, easily-guessed passwords, using custom lists that the administrator creates. This feature also translates to when you are using Azure AD Connect to synchronize user identities up to Azure (also known as a hybrid scenario). You can install Azure AD Password Protection for Windows Server Active Directory to extend the password lists to on-premises users as well.

Not all these features are included with standard Azure AD licenses; if you want to use the custom lists or employ on-premises password protection, you will need to purchase Azure AD Premium Plan 1 or higher.

These changes can be seen already with newly created Office 365 tenants, as seen below.

Also, the latest builds of Windows 10 and Windows Server 2019 have been changed so they no longer require password changes.

Do you have a poor password policy for your organization? Have you been compromised in the past and are you looking to better secure your environment? Contact the Sikich team so we can begin our journey together in creating a better and more secure infrastructure for your organization.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Timothy Longueil

Timothy Longueil is a Senior Network Consultant and Project Engineer at Sikich that works closely with organizations to improve productivity and increase overall profit. Timothy also holds many advanced certifications, including Microsoft 365 Enterprise Administrator Expert (M365 EA), CompTIA A+, CompTIA Network+, Certified SonicWALL Security Administrator (CSSA) Microsoft Certified Solutions Expert (MCSE) and Microsoft Certified Solutions Associate (MCSA). Timothy’s attention to detail allows him to troubleshoot as well as to design and deploy advanced, complex solutions for organizations in the Chicagoland area while providing documentation, communication, support, and sales alongside working closely with the key decision-makers of the organization. Timothy has performed 50+ Microsoft 365 Exchange Online migrations and Teams Phone System deployments for clients, and is currently performing new deployments in the rapidly emerging Microsoft Cloud Technologies Platform. Timothy’s primary areas of focus are Microsoft cloud services such as Azure or Microsoft 365, Windows Server and Active Directory, Virtualization through either VMware or Hyper-V, Backup/Disaster Recovery/Business Continuity and Network routing/switching/security/VPN.