Password strength

  • Passwords used must meet the Azure AD password policy, which is described here: active-directory-passwords-policy.

    The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD:

    Property
    Requirements
    Characters allowed

    A – Z

    a - z

    0 – 9

    @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;

    Characters not allowed

    Unicode characters.

    Spaces.

    Strong passwords only: Can't contain a dot character "." immediately preceding the "@" symbol.

    Password restrictions

    A minimum of 8 characters and a maximum of 16 characters.

    Strong passwords only: Requires three out of four of the following:

    Lowercase characters.Uppercase characters.

    Numbers (0-9).

    Symbols (see the previous password restrictions).
    Password expiry durationDefault value: 90 days.
    Password change historyThe last password can't be used again when the user changes a password.
    Password reset historyThe last password can be used again when the user resets a forgotten password.
    Account lockoutAfter 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time.

Feedback and Knowledge Base