Control: 1.5 Ensure that Office 365 Passwords Are Not Set to Expire

Description

Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.

NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.

Remediation

To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center:

1. Expand Settings then select the Org Settings subcategory.
2. Click on Security & privacy.
3. Select Password expiration policy.
4. If the Set user passwords to expire after a number of days box is checked, uncheck it.
5. Click Save.

To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Online PowerShell Module:

1. Connect to Microsoft Online service using Connect-MSOLService.
2. Run the following Microsoft Online PowerShell command:

 Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName <DomainName> - NotificationDays 30