CIS.M365.1.3.1 - (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
Overview
1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all.
Rationale
Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID.
Impact
When setting passwords not to expire it is important to have other controls in place to supplement this setting. See below for related recommendations and user guidance.
- Ban common passwords.
- Educate users to not reuse organization passwords anywhere else.
- Enforce Multi-Factor Authentication registration for all users.
Remediation action:
To set Office 365 passwords are set to never expire:
- Navigate to Microsoft 365 admin center.
- Click to expand Settings select Org Settings.
- Click on Security & privacy.
- Check the Set passwords to never expire (recommended) box.
- Click Save.
PowerShell
- Connect to the Microsoft Graph service using
Connect-MgGraph -Scopes "Domain.ReadWrite.All". - Run the following Microsoft Graph PowerShell command:
Update-MgDomain -DomainId <Domain> -PasswordValidityPeriodInDays 2147483647
Related links
- Microsoft 365 Admin Center
- NIST Special Publication 800-63B
- CIS Password Policy Guide
- Password policy recommendations for Microsoft 365 passwords
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 43
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.1.3.1 |
| Severity | High |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisPasswordExpiry |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.1.3.1, L1 |
Source
- Pester test:
tests/cis/Test-MtCisPasswordExpiry.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisPasswordExpiry.ps1