"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of whatโs going on, which helps us to make changes and recommendations for future plans."
IT Service Manager
Ian Harkess
Trusted by industry leaders
Are You Eligible For Free Funding?
Fill out the short form below to express your interest in our funded Microsoft security engagements, and weโll be in touch soon.
Please note: A minimum of 300 Microsoft 365 enterprise licenses are required to meet basic eligibility requirements.
"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of whatโs going on, which helps us to make changes and recommendations for future plans."
IT Service Manager
Ian Harkess
Trusted by industry leaders
Kickstart Your FastTrack Journey
Fill out the short form below to express your interest in our FastTrack programme, and weโll be in touch soon.
Please note: A minimum of 150 enterprise licenses is required for FastTrack eligibility.
โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
IT Operations Manager
Simon Darley
Trusted by industry leaders
Let's Talk
Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.
โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
Your password doesnโt meet the complexity requirements.
Published: November 7, 2023
Updated: May 29, 2024
Expert: Lewis Barry
Role: Senior Cloud Engineer
Specialises in: Microsoft 365
What you will learn:
Taking an up to date approach, when it comes to password policies, doesn't have to be complex... Utilising Entra ID, our Microsoft expert Lewis, will take you through his latest recommendations.
Too much of the focus today is still on how the actual password is comprised, rather than adopting multi-factor authentication and Self-Service Password Reset.
8 characters or more, some special, throw some numbers in there, and rotate often.
Pretty much the standard advice for creating passwords for as long as computer systems have existed. I want to talk about why this logic isnโt important anymore, providing youโve got other controls and training in place.
Microsoft Defaults
In Active Directory, the Default Domain Group Policy Object will have a password policy with the following settings:
Enforce password history: 24
Maximum password age: 42 Days
Minimum password age: 1 day
Minimum password length: 7
Complexity requirements: Enabled
How many of you look at that now and wince a bit?
In Entra ID (formerly Azure Active Directory) the standards are:
Enforce password history: 1
Maximum password age: 90 Days
Minimum password age: 0 days
Minimum password length: 8
Complexity requirements: Enabled
Slightly better, but still not what good looks like.
While this has been โbest practiceโ for many years, too much of the focus today is still on how the actual password is comprised, rather than adopting multi-factor authentication and Self-Service Password Reset.
Many organisations out there today will have highly specific requirement: some might want 12 characters minimum, others encourage pass-phrases, and if youโre really unlucky, ridiculously short expiry times.
Passwords arenโt the important bit anymore
As Gabe Newell demonstrated with the introduction of Steam Guard over 10 years ago, itโs the MFA element that protects him.
Our industry has not yet caught up with this idea, hence the slurry of external regulators and insurers demanding standards that they havenโt questioned or revised recently.
What you should be doing
If Entra ID is your identity provider:
Leave the default password creation policy as it is โ Go configure aย banned password listย if you really want to
Create a Conditional Access policy to enforce MFA for All Cloud Apps for All Users*
Disable password expiry from the M365 Admin Portal
Configure Self-Service Password Reset and target to ALL USERS
*There are legitimate exceptions to make in Conditional Access, but they are not to be made for end-users (Your C-Levels are just like everybody else).
โฆThere are other CA policies Iโd recommend, but that isnโt for this post.
Expanding on those suggestions
Conditional Access Policy
Pretty straight forward, although if youโve never implemented this before, might be best to use โreport-onlyโ for a week or two.
Disabling Password Expiry
This option is over at https://admin.microsoft.com โ> Org Settings โ> Security & Privacy
SELF-SERVICE PASSWORD RESET
Assuming youโve made the migration toย Entra ID Authentication Methods, youโll have a few options to choose from for users to use to reset their own passwords without calling the helpdesk:
Microsoft Authenticator
SMS
Third-party software OATH tokens
Voice call
Email OTP
(Eventually Security Questions will be available too, although some of those are pretty weak. I recently saw a custom one added which was: โWhat is your favourite colour?โ)
I always recommend requiring two of the above methods for a password reset.
Once configured, users will be able to add methods for SSPR over at https://aka.ms/mfasetup
End-users
Itโs all well and good being the sysadmin creating these strong policies, but you also need to tell people about them.ย Number-matching MFAย has done a lot to prevent mistakes of people approving prompts without thinking, however users need to be to informed about the new login experience.
For example, tell them:
Donโt approve or proceed stuff you arenโt expecting
This website uses cookies. By using this site you agree to our use of cookies. We use cookies to enhance your experience. To understand the specific cookies we use and how we handle your data, see out Cookie Policy, Privacy Policy and Terms & Conditions. Mange your preferences at any time by clicking the 'View Preferences' button.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
