Your Guide to Setting Up Your Office 365 Password Policy

Office 365 password policy isn't something new to you, especially if you’re a network admin. Here's your guide to setting up Office 365 password policy.
Your Guide to Setting Up Your Office 365  Password Policy

Office 365 password policy isn't something new to you, especially if you’re a network admin. Here's your guide to setting up Office 365 password policy.

If you're an admin of your organization's Office 365 or network, setting the password policy is your responsibility. This will protect your enterprise from different cyber threat levels.

When setting the password policy, you need to do it right because any loophole can expose your business to vulnerabilities. But, setting the Office 365 password policy can be complicated and sometimes confusing.

In this article, we outline what a password policy is and offer a step-by-step guide to setting up your password policy in Office 365.

What Is A Password Policy?

In general, a password policy is a set of rules that users must meet to enhance computer or network security. The policy sets out important things like password length and types of characters allowed or disallowed on a password.

A typical password policy encourages users, IT persons, and network admins to create, implement, and use stronger passwords for the safety of your computer, network, and website.

As part of an organization's rules, password policies are often included in the organization's security awareness training. But most password policies also come with applications and services such as in different Microsoft 365 plans.

What Is The Default Password Policy For Office 365?

Microsoft cloud-only accounts, which include Office 365 and Azure AD, have a predefined password policy that admins cannot change.

The policy sets three critical password guidelines for admins:

  • Password length. Office 365 passwords must contain an 8-character minimum length and a 16-character maximum length. A username cannot be part of the password.
  • Password complexity. Office 365 must have strong passwords that include a mix of only allowed characters such as Lowercase and uppercase letters (a-z, A-Z), base numbers (0-9), and allowed symbols, only non-alphabetic (such as; ! @,#,_,- #, $, %, ^, &, *, etc.). The Office 365 password policy disallows characters such as spaces and Unicode characters like !, ¥, Ą, Ə, ɖ, o̕, Љ, Ԁ, Ա, ؟, ܀, ހ, ߄, etc.
  • An example of valid, strong Microsoft 365 passwords is May<1@>2@22$ or summeR%2@2!
  • Password expiry duration. By default, an organization's Office 365 passwords are set never to expire. But admins have the option to set whether or not a password expires and the number of days until a password expires, which is 90 days by default but can be changed.

Additional rules of a great password strength include:

  • Prevent the use of personal details. Prevent users from integrating personal details like usernames, driver's licenses/ID/passport numbers, birth dates, etc., in their passwords because they're more prone to unauthorized access.
  • Prevent reuse of the last password
  • Password expiry notification. The default value of password expiry notification is 14 days before password expiration.
  • Ban common or reused passwords to keep the vulnerable passwords away from your system.
  • Account lockout. An account is locked after 10 unsuccessful attempts that involve entering the wrong password. The user will need to solve the CAPTCHA dialog successfully.

How Do I Change My Password Complexity In Office 365?

Microsoft 365 policy comes with a predefined password complexity. This means your password should contain at least 3 of these allowed password characters:

  • Uppercase characters (A-Z)
  • Lowercase characters (a-z)
  • Numbers (0-9)
  • Allowed symbols like: ! @ # + = [ ] { } | \$ % ^ & * – _ : ‘ , . ? / ` ~ “ < > ( ) ;
  • Maintain a password length of 8-character minimum and 16 character maximum

This complexity cannot be changed.

You can advise your users only to include three of all the required characters and maintain the password within the required length (8 to 16 characters).

Cybersecurity research strongly shows that organizations' and individual mandated password changes often do more harm than good. When changing passwords, people tend to choose weaker ones they can remember easily, reuse old ones, or update passwords in easily guessed ways. This exposes the passwords to bad actors.

Also, for two reasons, it's important not to require character composition of symbols such as *&(^%$, etc. in password complexity. First, they're difficult to remember. Second, people tend to substitute them with known factors such as @ for a, $ for s, 1 for I, etc. This is easy to figure out.

How Do I Find My Password Policy in Office 365?

Your Office 365 password policy is in the Office 365 admin center. You must log in to the Office 365 admin center with the right credentials and locate the password policy.

Note that you may not have permission to access the password policy if you're a user and not an admin.

To find the password policy in the Microsoft 365 admin center, follow these steps:

  1. Log in to Office 365 admin center ( using your admin username and password.
  2. On the left pane, go to Settings > Org Settings. You'll only see this option if you’re the organization's Office 365 global admin.
  3. Expand the Settings menu > then go to Security & Privacy.
  4. You'll see the Password Policy in the new window, along with privacy policy, sharing, and others.

Steps to Setting Up Your Password Policy

After finding your password policy in Microsoft 365 admin center, you can now set it to your preference. Note that if you're just a user and not an admin, you don't have the credentials to access the admin center or permissions to set your organization's password policy.

Follow the steps below to set your password policy in the Microsoft Admin center.

  1. In the Microsoft 365 admin center, navigate to Settings > Org Settings > Security & privacy tab. This option is only visible to global admin or security admin. Otherwise, you won't see it.
  2. In the list of elements, select Password expiration policy > Set user passwords policy for …
  3. To delete your organization's password expiration, uncheck the box "Set user passwords to expire after a number of days." This will set passwords never to expire.
  4. To set password expiration policy (how often passwords will expire), leave the "Set user passwords to expire after a number of days" checked then:
    • Choose the number of days passwords will expire. Change the default 90 days and choose any number of days between 14 and 730 days.
    • Select when users are notified before the password expiration day. Delete the 14 days and choose any number of days between 1 and 30. For example, if you choose 30, the users will be notified 30 days before their password expires.
  5. To set the passwords never to expire, so users don't have to change passwords, you'll toggle the box that says Set passwords never to expire to disable it.
  6. Once you're done, click Save.


We're glad you've read the article up to here :) Thank you :)

You can manage your organization's password policy in the Office 365 Admin center/portal only if you are an admin. You can set whether or not user passwords expire, set password complexity, the duration before passwords expire, and notifications about password expiration.

This ensures that your organization stays secure from cyber attacks.

But it's advised to always conduct a thorough password audit alongside educating your team about the essence of using strong passwords and the benefits of password management.

If you enjoyed reading this article, please share it on your socials. Someone else may benefit.

Subscribe to our newsletter and be among the first to receive our updates, articles, promotions, coupons, and more.

Related Articles

» Microsoft 365 Data Loss Prevention: Guide to Data Protection and Compliance
» How to Keep Your Data Safe When Using Microsoft Office 365
» Mobile Device Management (MDM) for Microsoft 365: Ultimate Guide
» Why You Should Block Microsoft Legacy Authentication
» Step by Step Guide to Set Up Office 365 Business eMail
» How to fix the 'We couldn't create the Outlook data file' error