Tips | IT security | Azure AD Account Password Policy

Azure AD Password Policy: Unrecognized Limitations and Future Prospects

Introduction

Clearly explaining the limitations of Azure AD password policy
Introduction of command-line operations like PowerShell commands
Links to related materials and reference sites

Pitfalls of Password Policy

One of the challenges faced by those migrating to the cloud with Azure AD accounts, especially for those who have long been responsible for AD management, is the absence of Group Policy. Particularly, Azure AD lacks the flexibility in settings around accounts. Many misunderstandings surround the Azure AD password policy. Unlike in AD where account settings, including expiration, can be flexibly configured and almost all security can be managed via Group Policy, those who have been working in Windows environments for years but are not familiar with AAD often misunderstand this. This can lead to friction between security personnel, IT leadership, and compliance officers. Let’s briefly explain the current situation.

*As this is a cloud service, future changes are possible, so please verify accurate information on the official website: Self-service password reset policies – Microsoft Entra ID | Microsoft Learn

1. Limited Changes to Password Expiry

Unlike traditional AD, Azure AD account password expiry is fixed at either 90 days or unlimited(Password never expires).

To make it “Never Expires“, you may encounter some resistance if you are accustomed to the GUI as it requires PowerShell commands. However, it is very simple, so please rest assured.

Command example:

Connect to AzureAD
- Install-Module -Name AzureAD
- Update-Module -Name AzureAD
- Connect-AzureAD
Check the current settings
- Get-MgUser -UserId | Select-Object @{N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}}
Change it to unlimited.
- Get-MgUser -All | Select-Object UserPrincipalName, @{N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}}
If the value is True, it has been changed to unlimited
- Get-MgUser -UserId | Select-Object @{N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}}

2. Scope of Configuration in Microsoft Intune

Many companies attempt to restrict through Microsoft Intune, but this is often misunderstood. Generally, many restrictions that can be set in Intune are related to devices and compliance, and what can be done with accounts is limited. Especially, misunderstandings may arise due to the rich compliance check function.

3. Application of Group Policies

Although Azure AD has various management settings (especially security-related), due to the nature of cloud services, the flexibility of AD’s group policies, which could do almost anything, is unlikely to be expected in the future. Companies that currently rely on group policies may face a shortage of personnel who can manage AD’s group policy settings if they do not shift to the cloud for account management sooner. There may also be a future where they cannot meet internal security standards due to the reduction of AD features (although it’s hard to imagine). So, it might be wise to have some sense of crisis.

Current policies of Azure AD accounts

Property	UserPrincipalName requirements
Characters allowed	A – Z a – z 0 – 9 ‘ . – _ ! # ^ ~
Characters not allowed	Any “@” character that’s not separating the username from the domain. Can’t contain a period character “.” immediately preceding the “@” symbol
Length constraints	The total length must not exceed 113 characters There can be up to 64 characters before the “@” symbol There can be up to 48 characters after the “@” symbol

username policies

Property	Requirements
Characters allowed	A – Z a – z 0 – 9 @ # $ % ^ & * – _ ! + = [ ] { } \| \ : ‘ , . ? / ` ~ ” ( ) ; < > Blank space
Characters not allowed	Unicode characters
Password restrictions	A minimum of 8 characters and a maximum of 256 characters. Requires three out of four of the following types of characters: – Lowercase characters – Uppercase characters – Numbers (0-9) – Symbols (see the previous password restrictions)
Password expiry duration (Maximum password age)	Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with Get-MgDomain. The value is configurable by using the Update-MgDomain cmdlet from the Microsoft Graph module for PowerShell.
Password expiry (Let passwords never expire)	Default value: false (indicates that passwords have an expiration date). The value can be configured for individual user accounts by using the Update-MgUser cmdlet.
Password change history	The last password can’t be used again when the user changes a password.
Password reset history	The last password can be used again when the user resets a forgotten password.

Password policies

Future of Password Policy

Microsoft advocates for passwordless authentication, and in the future, the need for changing password expiry settings may become unnecessary.

Moving Forward to the following design are expected.

Promotion of passwordless authentication
Flexible password policies tailored to the cloud environment
Standardization of security criteria

Conclusion

There are several unrecognized limitations in Azure AD’s password policy. In the future, the promotion of passwordless authentication and the provision of flexible password policies tailored to the cloud environment are expected.