Password Policies

Configure password complexity, expiration, and protection policies for your Microsoft 365 organization.

Password Settings

Setting	Recommended
Minimum length	14 characters
Complexity	Not required (use length instead)
Expiration	No expiration (with MFA)
Banned passwords	Custom banned password list
Smart lockout	Enabled

Azure AD Password Protection

Global banned password list — Microsoft-maintained common password list
Custom banned password list — Organization-specific terms to block
Smart lockout — Lock accounts after failed attempts from same IP

Self-Service Password Reset

Enabled — Allow users to reset their own passwords
Methods required — Number of verification methods needed
Registration — Require SSPR registration at sign-in

API Reference

GET /api/security/password-policies — Get policies
PUT /api/security/password-policies — Update policies

Last updated on February 13, 2026

Named Locations Risk Detections