โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
Keep up to date with the experts
Get insights directly to your email inbox
Follow us on social
โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
Request a Call
First we need a few details.
8 characters or more, some special, throw some numbers in there, and rotate often.
Pretty much the standard advice for creating passwords for as long as computer systems have existed. I want to talk about why this logic isnโt important anymore, providing youโve got other controls and training in place.
In Active Directory, the Default Domain Group Policy Object will have a password policy with the following settings:
How many of you look at that now and wince a bit?
In Entra ID (formerly Azure Active Directory) the standards are:
Slightly better, but still not what good looks like.
While this has been โbest practiceโ for many years, too much of the focus today is still on how the actual password is comprised, rather than adopting multi-factor authentication and Self-Service Password Reset.
Many organisations out there today will have highly specific requirement: some might want 12 characters minimum, others encourage pass-phrases, and if youโre really unlucky, ridiculously short expiry times.
As Gabe Newell demonstrated with the introduction of Steam Guard over 10 years ago, itโs the MFA element that protects him.
Our industry has not yet caught up with this idea, hence the slurry of external regulators and insurers demanding standards that they havenโt questioned or revised recently.
If Entra ID is your identity provider:
*There are legitimate exceptions to make in Conditional Access, but they are not to be made for end-users (Your C-Levels are just like everybody else).
โฆThere are other CA policies Iโd recommend, but that isnโt for this post.
Conditional Access Policy
Pretty straight forward, although if youโve never implemented this before, might be best to use โreport-onlyโ for a week or two.
Disabling Password Expiry
This option is over at https://admin.microsoft.com โ> Org Settings โ> Security & Privacy
Assuming youโve made the migration toย Entra ID Authentication Methods, youโll have a few options to choose from for users to use to reset their own passwords without calling the helpdesk:
(Eventually Security Questions will be available too, although some of those are pretty weak. I recently saw a custom one added which was: โWhat is your favourite colour?โ)
I always recommend requiring two of the above methods for a password reset.
Once configured, users will be able to add methods for SSPR over at https://aka.ms/mfasetup
Itโs all well and good being the sysadmin creating these strong policies, but you also need to tell people about them.ย Number-matching MFAย has done a lot to prevent mistakes of people approving prompts without thinking, however users need to be to informed about the new login experience.
For example, tell them:
A big mistake we often make as technical people is forgetting that the things we think are simple are just as obvious to everyone else in the company.
Take a look at theย end-userย templates andย guidanceย Microsoft provide to give you some comms inspiration.
Looking to improve your organisation’s cloud security posture?
Our award-winning Microsoft cloud and cyber security specialists can help you implement stronger, more effective policies across your M365 estate.
Want to know more? Get in touch today
