Control: 1.5 Ensure that Office 365 Passwords Are Not Set to Expire
Description
Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.
NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.
Remediation
To set Office 365 Passwords to Expire, use the Microsoft 365 Admin Center:
- Expand
Settingsthen select theOrg Settingssubcategory. - Click on
Security & privacy. - Select
Password expiration policy. - If the
Set user passwords to expire after a number of daysbox is checked, uncheck it. - Click
Save.
To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Online PowerShell Module:
- Connect to Microsoft Online service using
Connect-MSOLService. - Run the following Microsoft Online PowerShell command:
Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName <DomainName> - NotificationDays 30
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_1_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_1_5 --shareSQL
This control uses a named query:
select id as resource, case when user_type !='Member' then 'skip' when password_policies like '%DisablePasswordExpiration%' then 'ok' else 'alarm' end as status, case when user_type !='Member' then display_name || ' is ' || user_type || ' user.' when password_policies like '%DisablePasswordExpiration%' then display_name || ' has password expiration disabled.' else display_name || ' has password expiration enabled.' end as reason , tenant_id as tenant_idfrom azuread_user;