Wednesday, December 06, 2017

Managing the Password Policy for Microsoft O365 Accounts

Changing an account password every 90 days is more often than most users would prefer if given a choice. So what happens when we are forced to change account passwords too often? Typically some or all of the following will occur:
  • User passwords get simpler rather than more complex so users can remember them.
  • Only one character of a password is changed. For instance, a number might progress to the next highest iteration.
  • New passwords are written down because it can be difficult to remember them when they are changed often.
By default, Microsoft O365 accounts force users to change their password every 90 days. This can be tedious and frustrating as email on phones and in mail applications will stop working when the password policy has been exceeded. As a user, it can be difficult to know what has happened because these applications do not tell you that a password change is required, it simply stops working. Luckily, an O365 administrator can access the management interface and change the password policy to something that works for everyone.

Managing the Password Policy for Microsoft O365 Accounts

To manage the password policy for a Microsoft O365 organization or account, log into an O365 administrator account at portal.microsoft.com.

Once logged in, follow these steps:
  • Click on the menu icon in the upper left corner and click on the "Admin" tile towards the bottom right.

  • In the pop-out Admin menu, click "Settings" to expand the menu.

  • Select "Security & privacy" to open the menu in the right pane.
  • In the security and privacy pane, click the "Edit" box next to the Password Policy heading.

  • In the Password Policy pop-up, update the number in the box for number of days before a password expires. If desired, change the number of days before a password expires to notify user's. Lastly, the privacy policy can be disabled which would allow users to keep the same password forever or until the password policy was changed. NOTE: Disabling the password policy is not recommended. Regularly changing passwords is a part of preventing unauthorized user access. Find a balance best suited for your organization.

  • Once all changes have been made, click the "Save" button at the bottom of the box to apply the settings.
  • The new settings can be verified on the Security and Privacy screen. NOTE: This change will affect everyone in your organization so be strategic when implementing a change. 


Password policies are implemented to help protect both user and business files by preventing unauthorized access. However, if password policies are too strict, they are often compromised in an effort to make them tolerable. This can include writing down new passwords in places where people can easily find them. It is critical to find a balance between maintaining security and ensuring the process is manageable for everyone it applies to. A password policy will only be effective if users embrace the process.

As always when it comes to tech, there is a balance between what seems best in theory and what works best in practice!


Enjoy this post? Subscribe to our Blog

No comments:

Post a Comment