One of the many nice things about Office 365 is that you can easily modify the password policy for your users. However, easily…?

First, to understand what Password Policy comes into play, we must take a look at the different types of identity that are supported:

1. Microsoft Online Service Cloud IDs: users have credentials stored in Office 365. These credentials, used to access Office 365 services, are different from the ones used to access resources on your computer or in your network. In this case the Office 365 Password Policy is in place.
2. Federated IDs: these IDs leverage an on-premise active directory as an identity store and for authentication (through ADFS). Your on-premise Active Directory password policy is in place.

The default Office 365 Password Policy looks like this:

Password Restrictions	8 characters minimum and 16 characters maximum The following values are allowed: A-Z a-z 0-9 ! @ # $ % ^ & * - _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ; No UNICODE Cannot contain the username alias (part before @ symbol)
Password Expiry Duration	90 Days and Enabled by default
Password Complexity	Enabled by default and requires 3 out of 4 of the following: Lowercase characters Uppercase characters Numbers (0-9) Symbols
Account Lockout	After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon. After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period.  Further incorrect passwords will result in an exponential increase in the lockout time period.

In an on-premise Active Directory environment, we can fully customize of the Password Policy and define the minimum password length, password ages, lockout duration, etc… The modifications that you can make to the password policy in Office 365 are rather limited:

• Enabled/Disable password complexity
• Enabled/Disable password expiry

You cannot edit the complexity requirements (e.g. lower amount of characters) nor can you make any changes to the Account Lockout duration.

How to change the password policy?

The password policy can only be changed through PowerShell and on a per-user basis.

First, open PowerShell and import the Online Services Module for Office 365:

Now, connect to Office 365 using the Connect-MsolService cmdlet. Use administrator credentials to log in:

Since we need to modify the password policy on a per-user basis, we will be using the Set-MsolUser cmdlet. This parameters to be configured are:

• PasswordNeverExpires ($true/$false)
• StrongPasswordRequired ($true/$false)

Running the following cmdlet will disable the need for a strong password and set it to never expire:

To undo these changes, run the following cmdlet: