quarta-feira, 7 de agosto de 2013

Office 365 Password Policy

Office 365 supports two types of identity:

1.    Microsoft Online Services cloud IDs:   Users have cloud credentials that are used to sign in to Office 365 services.  These credentials are separate from any desktop or corporate credentials.  Office 365 issues these identities and hence also authenticates users.  In this case the password policy is stored in the cloud with the Office 365 servisse.
2.     Federated IDs:  Users use their corporate AD credentials to sign in to Office 365 services.  In this case a user’s corporate AD authenticates the users and password policy is controlled and stored in the on-premise AD.

This article describes the password policies and options for Microsoft Online Services cloud IDs.

Password policy



Password restrictions

8 characters minimum and 16 characters maximum

Values allowed:

·         A-Z

·         a-z

·         0-9

·         ! @ # $ % ^ & * - _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ;

·         No UNICODE

Cannot contain the username alias (part before @ symbol)

Password expiry duration

This is set to 90 days and is not configurable

Password expiry

By default password expiry is enabled.  If enabled, users will be forced to change their passwords after 90 days.  Users do not currently receive any form of password expiry notification.

At GA, administrators will be able to enable/disable this setting through the PowerShell Client (Microsoft Online Services Module for Windows PowerShell), at the user level.





Password strength

Strong passwords require 3 out of 4 of the following:

·         Lowercase characters

·         Uppercase characters

·         Numbers (0-9)

·         Symbols (see password restrictions above)

Strong passwords will be required in BPOS when the new password policy takes effect.

There is a setting in Office 365 which can remove the strong password requirement, but this setting can only be modified after the customer is transitioned from BPOS to Office 365.

At GA, administrators will be able to enable/disable this setting through the Microsoft Online Services Module, at the user level.

Password history

Last password cannot be used again

Password history duration


Account lockout


After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period.  Further incorrect passwords will result in an exponential increase in the lockout time period.


Sem comentários:

Enviar um comentário