Customizable Password Policy and Account Locking Features
- Configurable password requirements (e.g., complex passwords, password length, character limitations etc)
- Configurable number of attempts before Account is locked

Hey folks, thanks for the interest in this, and we have some good news to share. Configurable lockout is in development now (mostly done, actually) and we’re aiming for June or July public preview.
For configurable password complexity, length, etc, we hear you. Longer passwords are in planning now, and we’re thinking about our approach to how we want to enable the other configurability features. I don’t have any more details to share on this for now, but we do have interest in building features.
8 comments
-
Christian Barnes commented
This is an absolute must- especially for THE cloud identity provider!
Microsoft- it's great you've listened and reviewed this but it's now 2 yrs later and still no update?
Please expedite both admin configurable complexity requirements and configurable lockout options as requested above.Thanks.
-
Farhad commented
Please update us. We need this feature!
-
Mike commented
Where is this at? The last comment was nearly a year ago that work was underway with and estimated delivery of last July.
-
jimmy commented
How is it going with strong password policies? When can we configure. Password length, complexity, lookout? Your recommendation is to have two cloud global admin outside sync to ensure access to office 365. We want to make sure these accounts are enforced for strong passwords.
It would also be great if you could skip 16 letter limits so we can make service accounts more secure in a cloud environment.
-
Anonymous commented
I wholeheartedly approve of Microsoft new guidance on not requiring users to change their passwords at regular intervals as this tends to weaken the types of passwords a user choose.
However, the maximum length of 16 characters for AzureAD account passwords is really not sufficient to allow users to set good passwords based on combining random words.
Given this limitation is not present in on-prem AD, I presume there is some compatibility issue with legacy products that prevents it being allowed in AzureAD?
I would rather than the option of enabling it with caveat that some applications won't work (if they are listed) than restrict my users to weak passwords.
-
Gururaj Pandurangi commented
Is this feature now being planned?
Please advise on the availability of this. Looks like its been ~2yrs for this request -
Erwen commented
We'd also like to manage password policy for Azure AD. This is mainly to restrict admin access to the Azure portal.
-
Adam Steenwyk commented
Hey Andy,
Thank you for the request - we are taking this under consideration. Can you send me a note offline at asteen@microsoft.com with a bit more details about your specific requirements here?
Thank you,
Adam.