Introduction
By default, passwords are set to expire in 90 days. Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers.
The use of Multi-Factor Authentication is always highly recommended.
User Impact
Low
Disabling the password expiration will stop users from needing to set new passwords.
Admin Portal Reference
In the Microsoft 365 Admin Center;
- Go to the Settings > Org Settings
- Go to the Security & privacy page
If you aren’t a global admin, you won’t see the Security and privacy option. - Select Password expiration policy
- Uncheck the checkbox next to “Set user passwords to expire after a number of days”
If Action is set to Notify
We report the setting is compliant if the password expiry is set so passwords do not expire.
We report the setting is non-compliant if the password is set to expire (any number of days).
If Action is set to Enforce
We report the setting is compliant if the password expiry is set so passwords do not expire.
We report the setting is compliant-fixed if the password expiry to expire but was updated to not expire.