Share via

Entra ID user default password expiration policy

Mobu 50 Reputation points Microsoft Vendor
2024-12-27T11:35:48.5733333+00:00

I have a new tenant created this year. I've read Microsoft docs but it seems very unclear about default password expiration policy.

In this M365 doc: https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide, it says by default password never expiration.

But in the below Entra ID doc, it also says by default Password Expiry property is set to false (indicates that passwords have an expiration date).

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy

So which is true??

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,066 questions
0 comments
Accepted answer
  1. FrankEscarosBuechsel-MSFT 895 Reputation points Microsoft Employee
    2024-12-27T12:26:24.4566667+00:00

    Hi @Mobu • Thank you for reaching out.

    It looks like you are looking for some clarifications for the password expiry settings.

    I have a created a test tenant to illustrate how this works on newer tenants as mentioned in the documentation you are linking to.

    User's image

    You can see that for the Entra ID directory the password validity is indeed essentially set to an unlimited period, meaning passwords do not expire by default.

    This can however be overridden on a per user basis. You can see Update-MgUser for more details on that.

    The explanation as to why there is an expiration setting is from the interaction with Entra Domain Services. It is documented in this Learn Article: What is the password lifetime policy on a managed domain?

    Additionally, the Microsoft Entra password policy for DisablePasswordExpiration is synchronized to a managed domain. When DisablePasswordExpiration is applied to a user in Microsoft Entra ID, the UserAccountControl value for the synchronized user in the managed domain has DONT_EXPIRE_PASSWORD applied.

    For the purposes of a standalone Entra ID configuration, the default is indeed that passwords will not expire if he tenant was created after 2021.

    I hope this clarifies as to what this setting does in combination with other services.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.