How to set up a secure password policy in Microsoft 365

Posted on March 6, 2024 by Louise Howland

You’ve probably been told that you should have a strong password policy to prevent cybersecurity breaches and that having these security measures in place is an absolute necessity. But let’s be real, we know that most of your employees don’t always follow password rules and policies when they haven’t been technologically enforced.

Having a strong password is a central pillar of good cybersecurity practice. However, as a Microsoft 365 administrator, knowing what to implement as your password policy and how to apply it is a different matter.

So, let’s begin by looking at what your password policy should (and shouldn’t) include before we go through the process of setting one up as a global admin.

What should your password policy include?

An ideal password policy should include the following:

1.   A minimum character count

The fewer the characters in a password, the easier it is to guess, and the more susceptible it is to a brute force attack that uses trial and error to crack passwords, login details, and encryption keys. You don’t need to set a 14-character minimum for every password, but it’s good to set a lower limit of characters for your company employees.

Microsoft recommends at least 12 characters long, but 14 characters or more is better.

2.   A ban on common passwords

Microsoft already has a list of passwords that are banned by default, but offers you, or your IT support company, the option to add additional words to a custom list. These can include your company name, and abbreviations of local place names, industry terms, or even in-jokes at the office.

These common passwords can be easily guessed by hackers, so banning them is a very good idea as it protects your company from the risk of a cyberattack, data breach, phishing scam, and other cybercrimes.

3.   Multi-factor authentication (2FA and MFA)

Multi-factor authentication, sometimes referred to as two-factor authentication, is the act of using another step or level of security to approve logins. Within Microsoft, you have many options, such as sending a text or an email, or using the Microsoft Authenticator app. Enforcing MFA is a much more secure way to approach passwords and encourages ownership of cybersecurity.

What shouldn’t be in your password policy?

While the above three examples are all fantastic things to have, we, and Microsoft, also have some important suggestions for what you shouldn’t include in your password policy.

1.   Password expirations

This may sound counter-intuitive, but it’s been proven by America’s Federal Trade Commission (FTC) that these do more harm than good. In the article, Lorrie Cranor, Chief Technologist at the FTC, goes on to say, “There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”

For example, if you have a password that is water12, someone may make the next change water13, then water14 and so on. Expirations make it easier for a hacker to figure out the pattern and continually breach your system.

2.   Using complex character requirements

Again, you may think that the more character requirements you have, the more secure a password will be. Microsoft states that forcing your users to choose a combination of upper, lower, digits and special characters has a negative effect, as common replacements such as $ for S or @ for A are easy for hackers to guess.

How to create a password policy in Microsoft 365

Creating a password policy in Microsoft 365 isn’t as simple as pressing a button, and there are many important steps to follow. We’ve broken down the core parts here, but if you want a professional’s help, please get in touch.

How to enforce MFA in Microsoft 365

To enforce MFA in Microsoft 365, you need to be a global admin. Then you need to:

• Go to the Microsoft 365 Admin Center at https://admin.microsoft.com
• Select Show All, then choose the Microsoft Entra Admin Center.
• Select Microsoft Entra ID, then Properties, and then Manage Security defaults.
• Under Enable Security defaults, select ‘Yes’ and then ‘Save’.

How to add custom banned passwords in Microsoft 365

Adding custom banned passwords in Microsoft 365 isn’t overly simple, but before you begin, you’ll need to be a global admin, and have the list of banned passwords ready, with each banned word on a separate line.

1. Sign in to the Microsoft Entra Admin Center as at least an Authentication Policy Administrator.
2. Browse to Protection > Authentication methods, then Password protection.
3. Set the option for Enforce custom list to ‘Yes’.
4. Add strings to the custom banned password list, one string per line. The following considerations and limitations apply to the custom banned password list:
   • The custom banned password list can contain up to 1,000 terms.
   • The custom banned password list is case-insensitive.
   • The custom banned password list considers common character substitutions, such as “o” and “0”, or “a” and “@”.
   • The minimum string length is four characters, and the maximum is 16 characters.
5. Specify your own custom passwords to ban.
6. Modify the custom banned password list under Authentication Methods.
7. Leave the option for Enable Password Protection on Windows Server Active Directory to ‘No’.
8. To enable both custom banned passwords and your entries, press ‘Save’.

It may take several hours for updates to the custom banned password list to be applied so carefully consider when you do it. For instance, running updates in the middle of the day could harm workflow and lead to disruptive downtime, whereas doing this during non-working hours is likely to cause less of a disturbance.

Are you looking for support with creating a secure password policy?

Here at ramsac, we work with companies to create more secure login systems and improve their cybersecurity. We can help your business to improve its password security.