Export (0) Print
Expand All

Password policy in Azure AD

Published: July 12, 2013

Updated: June 16, 2014

Applies To: Azure, Office 365, Windows Intune

noteNote
This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

This topic describes the various password policies and complexity requirements associated with the user accounts stored in your Azure AD tenant.

Every user account that needs to sign in to the Azure AD authentication system must have a unique user principal name (UPN) attribute value associated with that account. The following table outlines the polices that apply to both on-premises Active Directory-sourced user accounts (synced to the cloud) and to cloud-only user accounts.

 

Property

UserPrincipalName requirements

Characters allowed

  • A – Z

  • a – z

  • 0 – 9

  • . - _ ! # ^ ~

Characters disallowed

  • @

  • Cannot contain a dot character '.' immediately preceding the '@' symbol

Length constraints

  • Total length must not exceed 113 characters

    • Total length must not exceed 113 characters

    • 48 characters before the ‘@’ symbol

    • 64 characters after the ‘@’ symbol

The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

 

Property Standard strength passwords Strong passwords

Characters allowed

  • A – Z

  • a – z

  • 0 – 9

  • @ # $ % ^ & * - _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;

Characters disallowed

  • Unicode characters

  • spaces

  • Unicode characters

  • spaces

  • Cannot contain a dot character '.' immediately preceding the '@' symbol

Password restrictions

  • 8 characters minimum and 16 characters maximum

  • 8 characters minimum and 16 characters maximum

  • Requires 3 out of 4 of the following:

    • Lowercase characters

    • Uppercase characters

    • Numbers (0-9)

    • Symbols (see password restrictions above)

Password expiry duration

Default value: 90 days

Value is configurable using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.

Password expiry notification

Default value: 14 days (before password expires)

Value is configurable using the Set-MsolPasswordPolicy cmdlet.

Password Expiry

Default value: false days (indicates that password expiry is enabled)

Value can be configured for individual user accounts using the Set-MsolUser cmdlet. See Set a password to never expire for instructions.

Password history

Last password cannot be used again.

Password history duration

Forever

Account Lockout

After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period. Further incorrect passwords will result in an exponential increase in the lockout time period.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft