CISA.MS.AAD.6.1 - User passwords SHALL NOT expire.
Overviewβ
User passwords SHALL NOT expire.
The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB-22-09 states, "Password policies must not require use of special characters or regular rotation."
Remediation action:β
Configure password policies to set passwords to never expire.
- In Microsoft 365 admin center under Settings and Org settings, select the tab Security & privacy.
- Under Password expiration policy, set Set passwords to never expire.
- Click Save.
Related linksβ
- Microsoft 365 admin center - Org settings | Password expiration policy
- Configure the Password expiration policy
- CISA Passwords - MS.AAD.6.1v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.6.1 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaPasswordExpiration |
| Tags | CISA, CISA.MS.AAD.6.1, Entra ID Free, MS.AAD, MS.AAD.6.1 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaPasswordExpiration.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1