Share via

The benefits in setting 'Password expiration policy' to 'Set passwords to never expire (recommended)'?

EnterpriseArchitect 5,666 Reputation points
2025-02-06T13:01:28.3566667+00:00

What will be the safeguard or the additional safety control we must deploy when setting the user password never to expired?

Because I have seen multiple recommendations from the below sources advising to set the password to never expired.

CISA: https://www.cisa.gov/sites/default/files/publications/Microsoft%20Azure%20Active%20Directory%20M365%20Minimum%20Viable%20SCB%20Draft%20v0.1.pdf page 14

CIS: https://www.tenable.com/audits/items/CIS_Microsoft_365_v3.1.0_E3_Level_1.audit:74fc512482bab55cb658d77070bf3e7b

NISTSP 800-63B-4, Digital Identity Guidelines: Authentication and Authenticator Management | CSRC

Any sharing and guidance will be greatly appreciated.

Thank you,

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,873 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
3,001 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,177 questions
0 comments
Accepted answer
  1. Marcin Policht 35,210 Reputation points MVP
    2025-02-06T13:14:46.48+00:00

    Consider the following compensating controls:

    1. Implement Multi-Factor Authentication (MFA) MFA adds an extra layer of security by requiring something the user has (e.g., a phone or security key) in addition to their password. Enforce MFA for all privileged and standard accounts, preferably using phishing-resistant methods (e.g., FIDO2 keys or certificate-based authentication).

    2. Enforce strong password policies Use a minimum of 14+ characters and enforce a mix of uppercase, lowercase, numbers, and special characters. Block common passwords by implementing a banned password list to prevent easily guessable passwords (e.g., through Entra ID Password Protection). Disable password hints and security questions that can be exploited.

    3. Monitor and detect compromised passwords Use Entra ID Identity Protection to detect when passwords appear in known breaches. Use Microsoft Defender for Identity or UEBA solutions to detect unusual login behavior.

    4. Require Just-in-Time and Least Privilege Access Ensure that administrative accounts operate in separate environments. Use Entra ID PIM to grant temporary admin rights instead of permanent roles.

    5. Implement Passwordless Authentication Move towards passwordless authentication using FIDO2 security keys, Windows Hello for Business, or certificate-based authentication.

    6. Regular Security Reviews & Audit Logging Enable and monitor Entra ID sign-in logs for anomalous activity. Enforce device compliance, known locations, or risk-based access decisions by using Entra ID Conditional Access

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 13,450 Reputation points MVP
    2025-02-06T13:26:22.71+00:00

    Hello , Welcome to MS Q&A

    Yes , When setting user passwords to never expire in Azure, it's crucial to implement additional safeguards to maintain security. Here are some recommended practices:

    1. Strong Password Policy: Enforce a strong password policy requiring complex passwords with a minimum length and a mix of alphanumeric and special characters.
    2. Self-Service Password Reset (SSPR): Use Microsoft Entra ID's self-service password reset feature to allow secure password management.
    3. Monitor Password Usage: Regularly monitor password usage and the self-service password reset feature for unusual activity.
    4. Password Protection: Implement Microsoft Entra password protection to enforce banned password lists across your infrastructure.
    5. Account Management: Regularly review and manage accounts to disable or remove unnecessary ones and notify users when accounts are no longer needed.
    6. Security Audits: Conduct regular security audits to assess password policy effectiveness and identify vulnerabilities

    Please let us know if any further questions

    Kindly accept if it helps

    Thanks

    Deepanshu

  2. Michael Morten Sonne 595 Reputation points MVP
    2025-02-06T13:44:41.3933333+00:00

    And I can say the same - add more security "on top", as the password itself it not "very" secure.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.