Expert Intel

Your password doesnโ€™t meet the complexity requirements.

Published: November 7, 2023
Updated: October 22, 2025
lewis-b

Expert: Lewis Barry

Role: Senior Cloud Engineer

Specialises in: Microsoft 365

What you will learn:
Taking an up-to-date approach, when it comes to password policies, doesn't have to be complex... Utilising Entra ID, our Microsoft expert Lewis, will take you through his latest recommendations.
Too much of the focus today is still on how the actual password is composed, rather than adopting multi-factor authentication and Self-Service Password Reset.

8 characters or more, some special, throw some numbers in there, and rotate often.

Pretty much the standard advice for creating passwords for as long as computer systems have existed. I want to talk about why this logic isnโ€™t important anymore, providing youโ€™ve got other controls and training in place.

Microsoft Defaults

In Active Directory, the Default Domain Group Policy Object will have a password policy with the following settings:

  • Enforce password history: 24
  • Maximum password age: 42 days
  • Minimum password age: 1 day
  • Minimum password length: 7
  • Complexity requirements: Enabled

How many of you look at that now and wince a bit?

In Entra ID (formerly Azure Active Directory) the standards are:

  • Enforce password history: 1
  • Maximum password age: 90 days
  • Minimum password age: 0 days
  • Minimum password length: 8
  • Complexity requirements: Enabled

Slightly better, but still not what good looks like.

While this has been โ€œbest practiceโ€ for many years, too much of the focus today is still on how the actual password is composed, rather than adopting multi-factor authentication and Self-Service Password Reset.

Many organisations out there today will have highly specific requirements: some might want 12 characters minimum, others encourage passphrases, and if youโ€™re really unlucky, ridiculously short expiry times.

Passwords arenโ€™t the important bit anymore

As Gabe Newell demonstrated with the introduction of Steam Guard over 10 years ago, itโ€™s the MFA element that protects him.

Our industry has not yet caught up with this idea, hence the slew of external regulators and insurers demanding standards that they havenโ€™t questioned or revised recently.

What you should be doing

If Entra ID is your identity provider:

  • Leave the default password creation policy as it is โ€“ go configure aย banned password listย if you really want to
  • Create a Conditional Access policy to enforce MFA for All Cloud Apps for All Users*
  • Disable password expiry from the M365 Admin Portal
  • Configure Self-Service Password Reset and target it toย ALL USERS

*There are legitimate exceptions to make in Conditional Access, but they are not to be made for end-users (Your C-Levels are just like everybody else).

โ€ฆThere are other CA policies Iโ€™d recommend, but that isnโ€™t for this post.

Expanding on those suggestions

Conditional Access Policy

password, conditional access policy

Pretty straightforward, although if youโ€™ve never implemented this before, mit ight be best to use โ€œreport-onlyโ€ for a week or two.

Disabling Password Expiry

Disabling Password expiry

This option is over at https://admin.microsoft.com โ€“> Org Settings โ€“> Security & Privacy

SELF-SERVICE PASSWORD RESET

Assuming youโ€™ve made the migration to Entra ID Authentication Methods, youโ€™ll have a few options to choose from for users to use to reset their own passwords without calling the helpdesk:

  • Microsoft Authenticator
  • SMS
  • Third-party software OATH tokens
  • Voice call
  • Email OTP

(Eventually, Security Questions will be available too, although some of those are pretty weak. I recently saw a custom one added, which was: โ€œWhat is your favourite colour?โ€)

I always recommend requiring two of the above methods for a password reset.

password reset

Once configured, users will be able to add methods for SSPR over at https://aka.ms/mfasetup

End-users

Itโ€™s all well and good being the sysadmin creating these strong policies, but you also need to tell people about them.ย Number-matching MFAย has done a lot to prevent mistakes of people approving prompts without thinking; however, users need to be informed about the new login experience.

For example, tell them:

  • Donโ€™t approve or proceed with anything you arenโ€™t expecting
  • Go to https://aka.ms/mfasetup and register some alternate methods
  • Make use of the self-service options available to you when the time comes

A big mistake we often make as technical people is forgetting that the things we think are simple are just as obvious to everyone else in the company.

Take a look at theย end-userย templates andย guidanceย Microsoft provides to give you some comms inspiration.


Looking to improve your organisation’s cloud security posture?

Our award-winning Microsoft cloud and cyber security specialists can help you implement stronger, more effective policies across your M365 estate.

Want to know more? Get in touch today

Our latest expert Intel

  • June 10, 2026
    Read full article
  • May 13, 2026
    Read full article
  • May 1, 2026
    Read full article
  • April 14, 2026
    Read full article
  • April 10, 2026
    Read full article
  • April 2, 2026
    Read full article
  • Cyber Background
    March 24, 2026
    Read full article
  • notepad compromise
    April 1, 2026
    Read full article
  • M365
    February 3, 2026
    Read full article
  • Person using a laptop with the Google search homepage open
    February 3, 2026
    Read full article
  • January 20, 2026
    Read full article
  • A professional man holds a "Stripe OLT" branded coffee mug in a modern office environment.
    October 27, 2025
    Read full article