How can we improve Azure Active Directory?

← Azure Active Directory

Allow Long Passwords

the current max password is 16 chars, please make it larger

https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

Longer is (Usually) Stronger section

source of current max length: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

510 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Mike DePouw shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

67 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anthony Fetfatsidis commented  ·   ·  Flag as inappropriate

    We are in 2020 and still no way of setting minimum password complexity. This thread has been marked complete so it does nothing posting here. All should also vote here:
    https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/31759768-more-than-8-character-minimum-password-requirement
    Unless you can find one with already more votes.

  • Neman Syed commented  ·   ·  Flag as inappropriate

    Today (2019-12-01) I set up a guest user. During the login/setup, I'm told my 17 character password (upper, lower, numbers, "special", no spaces) is too long.

    Why isn't this automatically updated as per the announcement*? Do I need to manually change some policies in my Azure AD? (I'm completely new to this admin stuff, so please forgive me if the question is basic.)

    *https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Removal-of-the-16-character-limit-for-passwords-in-Azure-AD/bc-p/1041341

  • Adam Lloyd commented  ·   ·  Flag as inappropriate

    Can you work on allowing customisation of AAD password complexity / policy?

    Kinda pointless allowing for extra character length (8-256) if we cannot customise our complexity requirements that appear on the likes of SSPR splash screens and such :/ so that it falls in line with our on-prem policy. (i.e a greater minimum than 8 characters)

  • Kristian commented  ·   ·  Flag as inappropriate

    Seems changing password from Office365 (instead of admin panel) won’t let you use spaces and only 255 letters.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Is this Azure AD change also on GCC High tenants? Or is this change only for commercial?

  • Katy commented  ·   ·  Flag as inappropriate

    Ironic thing is this feedback system lets you have stronger passwords than an Office 365 Tenancy Global Admin account can have! 2 years on from the original post and we're still stuck on 16 characters?

  • Olav Rønnestad Birkeland commented  ·   ·  Flag as inappropriate

    I've found a workarround that allows password up to 60 character, which is the longest I've tested so far. Just set password with the AzureAD module, and specify that user must change password at next login. At that next login you can set passwords longer than the default max of 16 characters.

    Set-AzureADUserPassword with -ForceChangePasswordNextLogin.

    This is peobably a bug/ design flaw, but it works for setting longer passwords. Perfect for service account and similar where you can't use MFA.

  • Mike Mason commented  ·   ·  Flag as inappropriate

    Echoing Viktor's request. Any progress yet? Microsoft is putting out these new password guidelines, and nobody can even begin to implement this with this crazy never-should-have-been-a-thing restriction. This should be a very high priority for MS before things like UI improvements.

  • Magruder Administrator commented  ·   ·  Flag as inappropriate

    Per NIST guidelines, increase the password length. Up to 64 characters would be optimal.

    SP 800-63 Digital Identity Guidelines
    https://doi.org/10.6028/NIST.SP.800-63-3

    SP 800-63A Enrollment and Identity Proofing
    https://doi.org/10.6028/NIST.SP.800-63a

    SP 800-63B Authentication and Lifecycle Management
    https://doi.org/10.6028/NIST.SP.800-63b

    SP 800-63C Federation and Assertions
    https://doi.org/10.6028/NIST.SP.800-63c

  • Anonymous commented  ·   ·  Flag as inappropriate

    Here's another comment on the ridiculousness of the password complexity limitations in Azure AD.

  • Anonymous commented  ·   ·  Flag as inappropriate

    How is Microsoft planning on the move to Azure AD if it still requires an on-prem AD just to have proper password policies..... Not to mention I have no power over Local passwords with Azure AD, even with the use of Intune.

  • Tao commented  ·   ·  Flag as inappropriate

    Let us use our own passwords.. I have three, well had three passwords i used sense 1999.. Random letters and numbers i memorized.. Now i am not allowed to alternate my password and now have to save them in my phone.. Now its super insecure. I conplained to Microsoft directly to be told use finger print.. Oh thays even easier to get someones finger print, how about log into person account with a picture fron there account.. Why is everyone makimg it easier for people to hack into your account, just because you say its better, dont mean it is... Up until last two years had no issues, now i have issues all the time with my account.. Let me be in control of my account, let me have my own personal password i dont have to save in phone or write down.. I bet i could call anyone in Microsoft say my password and none of them would still not get it right.. My new password well is easy to fivure out and guessing i willl have to switch to another company because I lost my mac (iphones over password) lost my Google account and now i will be losijg my Microsoft account, guess i will be joining the Chinese internet or Russian apps because American companies have no clue how to keep our accounts safe, only makong it easier to hack by making us change passwords every 6 months and forcing us to save in new floders with all our account passwords.. Guess its easier for them to track us and get all our info including access to our accounts /sell access to other companies or whoever...

  • Anonymous commented  ·   ·  Flag as inappropriate

    I really hope you will also allow customers to getting rid of the mandatory requirement of using 3 out of the 4 character sets. That policy is so 90s and just leads to users creating stupid passwords like Password123 while it doesn't allow using secure ones like bluegoatdollechopox

  • Daniel commented  ·   ·  Flag as inappropriate

    We do not have on prem AD. Please correct this horrendous error in judgement on Microsoft's part and allow our users to better protect themselves. From: https://docs.microsoft.com/en-us/office365/enterprise/protect-your-global-administrator-accounts - "You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control." No Microsoft, apparently I cannot control the security. Even Global Admins are restricted to 16 characters.

  • Rob Wilderman commented  ·   ·  Flag as inappropriate

    I am encouraging everyone to do as I plan on doing and complain about this issue weekly to 365 Support until it gets resolved. This text does not cause enough pain on this issue. We need to start being a really really squeaky wheel. If we all open a ticket weekly, then it is cutting into MS bottom line, and they will need to listen.

← Previous 1 3 4

Azure Active Directory: Authentication

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice