Introduction #
By default, passwords are set to expire in 90 days. Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers.
The use of Multi-Factor Authentication is always highly recommended.
User Impact #
Low
Disabling the password expiration will stop users from needing to set new passwords.
Admin Portal Reference #
In the Microsoft 365 Admin Center;
- Go to the Settings > Org Settings
- Go to the Security & privacy page
If you aren’t a global admin, you won’t see the Security and privacy option. - Select Password expiration policy
- Uncheck the checkbox next to “Set user passwords to expire after a number of days”
If Action is set to Notify #
We report the setting is compliant if the password expiry is set so passwords do not expire.
We report the setting is non-compliant if the password is set to expire (any number of days).
If Action is set to Enforce #
We report the setting is compliant if the password expiry is set so passwords do not expire.
We report the setting is compliant-fixed if the password expiry to expire but was updated to not expire.
