How to set up a secure password policy in Microsoft 365

secure password policy in Microsoft 365

You’ve probably been told that you should have a strong password policy to prevent cybersecurity breaches and that having these security measures in place is an absolute necessity. But let’s be real, we know that most of your employees don’t always follow password rules and policies when they haven’t been technologically enforced.

Having a strong password is a central pillar of good cybersecurity practice. However, as a Microsoft 365 administrator, knowing what to implement as your password policy and how to apply it is a different matter.

So, let’s begin by looking at what your password policy should (and shouldn’t) include before we go through the process of setting one up as a global admin.

What should your password policy include?

password combinations

An ideal password policy should include the following:

1.   A minimum character count

The fewer the characters in a password, the easier it is to guess, and the more susceptible it is to a brute force attack that uses trial and error to crack passwords, login details, and encryption keys. You don’t need to set a 14-character minimum for every password, but it’s good to set a lower limit of characters for your company employees.

Microsoft recommends at least 12 characters long, but 14 characters or more is better.

2.   A ban on common passwords

Microsoft already has a list of passwords that are banned by default, but offers you, or your IT support company, the option to add additional words to a custom list. These can include your company name, and abbreviations of local place names, industry terms, or even in-jokes at the office.

These common passwords can be easily guessed by hackers, so banning them is a very good idea as it protects your company from the risk of a cyberattack, data breach, phishing scam, and other cybercrimes.

3.   Multi-factor authentication (2FA and MFA)

Multi-factor authentication, sometimes referred to as two-factor authentication, is the act of using another step or level of security to approve logins. Within Microsoft, you have many options, such as sending a text or an email, or using the Microsoft Authenticator app. Enforcing MFA is a much more secure way to approach passwords and encourages ownership of cybersecurity.

What shouldn’t be in your password policy?

Password written on a post it note

While the above three examples are all fantastic things to have, we, and Microsoft, also have some important suggestions for what you shouldn’t include in your password policy.

1.   Password expirations

This may sound counter-intuitive, but it’s been proven by America’s Federal Trade Commission (FTC) that these do more harm than good. In the article, Lorrie Cranor, Chief Technologist at the FTC, goes on to say, “There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”

For example, if you have a password that is water12, someone may make the next change water13, then water14 and so on. Expirations make it easier for a hacker to figure out the pattern and continually breach your system.

2.   Using complex character requirements

Again, you may think that the more character requirements you have, the more secure a password will be. Microsoft states that forcing your users to choose a combination of upper, lower, digits and special characters has a negative effect, as common replacements such as $ for S or @ for A are easy for hackers to guess.

How to create a password policy in Microsoft 365

Creating a password policy in Microsoft 365 isn’t as simple as pressing a button, and there are many important steps to follow. We’ve broken down the core parts here, but if you want a professional’s help, please get in touch.

How to enforce MFA in Microsoft 365

To enforce MFA in Microsoft 365, you need to be a global admin. Then you need to:

  • Go to the Microsoft 365 Admin Center at https://admin.microsoft.com
  • Select Show All, then choose the Microsoft Entra Admin Center.
  • Select Microsoft Entra ID, then Properties, and then Manage Security defaults.
  • Under Enable Security defaults, select ‘Yes’ and then ‘Save’.

How to add custom banned passwords in Microsoft 365

Adding custom banned passwords in Microsoft 365 isn’t overly simple, but before you begin, you’ll need to be a global admin, and have the list of banned passwords ready, with each banned word on a separate line.

  1. Sign in to the Microsoft Entra Admin Center as at least an Authentication Policy Administrator.
  2. Browse to Protection > Authentication methods, then Password protection.
  3. Set the option for Enforce custom list to ‘Yes’.
  4. Add strings to the custom banned password list, one string per line. The following considerations and limitations apply to the custom banned password list:
    • The custom banned password list can contain up to 1,000 terms.
    • The custom banned password list is case-insensitive.
    • The custom banned password list considers common character substitutions, such as “o” and “0”, or “a” and “@”.
    • The minimum string length is four characters, and the maximum is 16 characters.
  5. Specify your own custom passwords to ban.
  6. Modify the custom banned password list under Authentication Methods.
  7. Leave the option for Enable Password Protection on Windows Server Active Directory to ‘No’.
  8. To enable both custom banned passwords and your entries, press ‘Save’.

It may take several hours for updates to the custom banned password list to be applied so carefully consider when you do it. For instance, running updates in the middle of the day could harm workflow and lead to disruptive downtime, whereas doing this during non-working hours is likely to cause less of a disturbance.

Are you looking for support with creating a secure password policy?

Here at ramsac, we work with companies to create more secure login systems and improve their cybersecurity. We can help your business to improve its password security.

Related Posts

  • How to Spot a Scam HMRC Letter 

    How to Spot a Scam HMRC Letter 

    Cybersecurity

    Learn how to spot fraudulent communications, like fake HMRC letters, and take steps to protect your personal information and finances from scammers. [...]

    Read article

  • What is Data Loss Prevention (DLP)?

    What is Data Loss Prevention (DLP)?

    CybersecurityTechnical Blog

    Explore how Data Loss Prevention (DLP) strategies and tools protect sensitive data, ensure regulatory compliance, and mitigate risks from insider threats, enabling organisations to stay secure and resilient in [...]

    Read article

  • AI-Driven Threat Detection and Response

    AI-Driven Threat Detection and Response

    AICybersecurityTechnical Blog

    This blog explores how AI-driven cybersecurity is transforming threat detection and response with real-time, adaptive defenses against evolving cyber threats. [...]

    Read article

  • Why you should invest in Cybersecurity Consultancy

    Why you should invest in Cybersecurity Consultancy

    Cybersecurity

    n an increasingly complex cyber threat landscape, investing in cybersecurity consultancy is essential to protect your business from potential risks and ensure long-term resilience. [...]

    Read article

  • Everything you need to know about the transition to ISO 27001:2022 

    Everything you need to know about the transition to ISO 27001:2022 

    Cybersecurity

    This blog explains the essential steps and timeline for transitioning from ISO 27001:2013 to ISO 27001:2022, ensuring your organisation maintains its certification before the October 2025 deadline. [...]

    Read article

  • Why your organisation needs VMaaS: Turning vulnerabilities into strengths

    Why your organisation needs VMaaS: Turning vulnerabilities into strengths

    Cybersecurity

    Discover how ramsac’s VMaaS can transform vulnerability management from a reactive headache into a proactive strategy that strengthens your organisation’s cybersecurity. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?

Password written on a post it note