Control: 1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'
Description
Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all.
Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID.
Remediation
To remediate using the UI:
- Navigate to
Microsoft 365 admin center
https://admin.microsoft.com. - Click to expand
Settings
selectOrg Settings
. - Click on
Security & privacy
. - Check the
Set passwords to never expire (recommended)
box. - Click
Save
.
To remediate using PowerShell:
- Connect to the Microsoft Graph service using
Connect-MgGraph -Scopes "Domain.ReadWrite.All"
. - Run the following Microsoft Graph PowerShell command:
Update-MgDomain -DomainId <Domain> -PasswordValidityPeriodInDays 2147483647
Default Value
If the property is not set, a default value of 90 days will be used.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_1_3_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_1_3_1 --share
SQL
This control uses a named query:
select id as resource, case when user_type !='Member' then 'skip' when password_policies like '%DisablePasswordExpiration%' then 'ok' else 'alarm' end as status, case when user_type !='Member' then display_name || ' is ' || user_type || ' user.' when password_policies like '%DisablePasswordExpiration%' then display_name || ' has password expiration disabled.' else display_name || ' has password expiration enabled.' end as reason , tenant_id as tenant_idfrom azuread_user;