Need to set minimum 12-character password policy for Entra ID P1 license, where we have cloud only users. By default, we have minimum of 8-character password which does not meet the Organization standard and considered to be a weak password policy.

Question

Hi,

Our organization have license with Microsoft Entra ID P1, and all the users inside it, are prompted to reset their password with minimum 8-character password. But as per our security standards we require users to set passwords with minimum 12-character password. Please help in how we set a policy where we can change from 8-character minimum password to 12-character lengthy passwords. Note: We have cloud-only users, and we don't have any on-premises AD or Server.Passwrd Policy.PNG

Answer 1

Hello Microsoft Employees - I believe you would know that the answer "Not possible to change minimum 8 character passwords in Entra ID/Cloud only environments" is acceptable.

We're not going to click "Accept Answer" until you provide the ability to customize min password length in Azure. 8 characters isn't even your recommended policy. We're leaving AD On-Prem/Hybrid environments as I write this - so controlling password length is critical.

To the Community - is our only option leaning on 3rd party SSO/federation vendor solutions? Can they control a user password overwrite from Entra's 8 character policy? Basically block the use at the SSO identity level? Thank you all who will take time to educate. Microsoft - do better than stating the obvious and not providing a solution.

Answer 2

It's absolutely unacceptable that this basic security feature still isn’t available after so many years. The fact that we can’t enforce a minimum password length greater than 8 characters is a serious oversight and a huge compliance risk for organizations. For instance, NIST's SP 800-63B clearly recommends a minimum password length of at least 12 characters, and ISO 27001 also emphasizes robust password management as part of information security controls.

How can we be expected to trust you with sensitive data when it lacks even the most basic capabilities to meet industry standards? Why is it so difficult to implement a setting that has been a core requirement in many compliance frameworks for years?

This is not just inconvenient—it's a direct violation of best practices and puts businesses in jeopardy of failing audits and compliance checks. It’s time Microsoft actually listens to its users and prioritizes security instead of constantly pushing back the most basic security policies.

Fix this now.

Answer 3

This needs to happen ASAP. We need to implement a minimum password length well in excess of 8.
This short of a password hasn't beeen acceptable since never. Please escalate this.

Answer 4

It's currently not possible to change the minimum 8-character password policy for users on Cloud Only Entra Environment. Read More about it here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#microsoft-entra-password-policies

Password restrictions	A minimum of 8 characters and a maximum of 256 characters.Requires three out of four of the following types of characters:- Lowercase characters- Uppercase characters- Numbers (0-9)- Symbols (see the previous password restrictions)

Password expiry duration (Maximum password age)	Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. You can check the current policy with Get-MsolPasswordPolicy.The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure AD module for PowerShell.

---If the response is helpful, please click "Accept Answer" and upvote it.---

Answer 5

How is "this isn't supported" still an acceptable answer? Given you can set minimum passwords in InTune, I naively assumed the same would be possible in Entra...

How do we escalate this?