News

Microsoft Expands Azure AD Password Lengths, Adds Conditional Access Controls

• By Kurt Mackie
• 05/16/2019

Microsoft announced a couple of Azure Active Directory enhancements this week regarding password lengths and new conditional access controls for IT pros.

Expanded Password Lengths
Microsoft has pushed out the character limit for Azure AD passwords, per an announcement this week. Previously, the maximum length for Azure AD passwords was 16 characters. Now it's been expanded to 256 characters. Microsoft made the change in response to popular requests, also known as "user voice" requests.

It's even possible to use spaces in Azure AD passwords now, according to Microsoft's announcement. However, Microsoft's documentation is apparently still catching up. It indicated (at press time) that spaces were "not allowed."

Oddly, Microsoft's Azure AD cloud-based identity and authentication service had lagged on the 16-character password-length limit even while Active Directory used by organizations "on premises" didn't have this restriction. It's odd because Microsoft's development efforts typically happen first for its cloud services.

Password Recommendations
The National Institute of Standards and Technology (NIST) suggested in a June 2017 publication (800-63b) that passwords (called "memorized secrets") should be allowed to be as long as "64 characters in length" at minimum. The NIST favors password length as a security practice since "passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords."

To avoid commonly used passwords like "password1" that are easily guessed, the NIST recommends comparing user passwords against a blacklist of banned passwords. Requiring complex passwords is also considered a bad practice by the NIST, since it just increases user frustration without necessarily increasing security. The document also argued against requiring regular periodic password changes. Passwords should only be changed when compromise is suspected, the document suggested.

Microsoft has similar attitudes toward password best practices. Last month, it dropped some requirements, like enforcing periodic password expirations on end users, from its Windows security baseline advice.

Conditional Access Preview
In other Azure AD password news, Microsoft announced on Thursday that it added a preview of the ability to have conditional access checks for Azure AD's combined multifactor authentication and self-service password reset user experience, which Microsoft had previewed back in February.

With the combined multifactor authentication and self-service password reset experience, Microsoft had offered up a user interface that made it easy for end users to register for multifactor authentication (a secondary ID verification process) and the self-service password reset capability, where end users have the power to reset their passwords. However, some organizations had wanted the ability to impose conditional access policies to ensure that attackers weren't having such access rights, too.

Now, with the new conditional access capabilities available at preview, organizations can impose policies on the end user experience. Microsoft's announcement offered the following examples of policy changes that can be imposed:

• Users are on a trusted network.
• Only users with a low sign-in risk can register security information.
• Users can only register on a managed device.
• Users should agree to a terms of use during registration.

The new conditional access capability currently is at the "public preview" stage. When commercially released, it'll be available as part of Microsoft's Azure AD Premium P1 subscriptions.