This article focuses on Office 365 password policy.

Allowed Characters

Following are the allowed characters in Office 365 user password:

  • a - z
  • A - Z
  • 0 - 9
  • @ # $ % ^ & * – _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ;

Disallowed Characters

Following are disallowed characters in Office 365 user password:

  • Unicode characters like !, ¥, Ą, Ə, ɖ, o̕, Љ, Ԁ, Ա, ؟, ܀, ހ, ߄ etc
  • spaces

Office 365 User Password

Office 365 password must contain minimum 8 characters and maximum 16 characters and cannot contain a user name. It requires 3 out of 4 the following:

  • Lowercase characters
  • Uppercase characters
  • Numbers (0 - 9)
  • Symbols like @ # $ % ^ & * – _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ;

Rules

Following are some of the rules applied to Office 365 user password:

  • Password history - Last password cannot be used again
  • Password expiry notification - Default value is 14 days (User is informed before 14 days about the password expiration)
  • Password expiry duration - Default value is 90 days (Password is expired and user needs to set a new password)
  • Password history duration - Forever
  • Account lockout - After 10 unsuccessful attempts of entering wrong password, the user needs to solve the CAPTCHA dialog

Examples

Following are the valid password examples:

  • Summer2015
  • @may2016
  • @Summerset

Following are invalid password examples:

  • Summer
  • summer2015
  • May 2015
Office 365 Password Policy
Avatar

Karim Buzdar

About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.

One thought on “Office 365 Password Policy

  • Avatar
    July 31, 2020 at 6:25 pm
    Permalink

    Hello,

    I have a question regarding a possible scenario involving O365:

    If I have AD, AAD and O365, I understand the On Prem Password Policies will take precedence over any Policy within AAD. Also, O365 works with the AAD, so, what would happen in this scenario:

    1. The on-prem password policy is set to expire passwords in 90 days.
    2. A synced user’s on-prem AD password expires in 10 days.
    3. EnforceCloudPasswordPolicyForPasswordSyncedUsers is then enabled
    4. Will the synced user’s Azure AD password now also expire in 10 days?…or is it in 90 days?
    5. If the user fails to change their on-prem password and the password expires – will the user still be unable to use O365 or will they be unable to authenticate successfully?

    Regards,

    Iddy

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*