Microsoft Expands Azure AD Password Lengths, Adds Conditional Access Controls

Microsoft announced a couple of Azure Active Directory enhancements this week regarding password lengths and new conditional access controls for IT pros.

Expanded Password Lengths
Microsoft has pushed out the character limit for Azure AD passwords, per an announcement this week. Previously, the maximum length for Azure AD passwords was 16 characters. Now it's been expanded to 256 characters. Microsoft made the change in response to popular requests, also known as "user voice" requests.

It's even possible to use spaces in Azure AD passwords now, according to Microsoft's announcement. However, Microsoft's documentation is apparently still catching up. It indicated (at press time) that spaces were "not allowed."

Oddly, Microsoft's Azure AD cloud-based identity and authentication service had lagged on the 16-character password-length limit even while Active Directory used by organizations "on premises" didn't have this restriction. It's odd because Microsoft's development efforts typically happen first for its cloud services.

Password Recommendations
The National Institute of Standards and Technology (NIST) suggested in a June 2017 publication (800-63b) that passwords (called "memorized secrets") should be allowed to be as long as "64 characters in length" at minimum. The NIST favors password length as a security practice since "passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords."

To avoid commonly used passwords like "password1" that are easily guessed, the NIST recommends comparing user passwords against a blacklist of banned passwords. Requiring complex passwords is also considered a bad practice by the NIST, since it just increases user frustration without necessarily increasing security. The document also argued against requiring regular periodic password changes. Passwords should only be changed when compromise is suspected, the document suggested.

Microsoft has similar attitudes toward password best practices. Last month, it dropped some requirements, like enforcing periodic password expirations on end users, from its Windows security baseline advice.

Conditional Access Preview
In other Azure AD password news, Microsoft announced on Thursday that it added a preview of the ability to have conditional access checks for Azure AD's combined multifactor authentication and self-service password reset user experience, which Microsoft had previewed back in February.

With the combined multifactor authentication and self-service password reset experience, Microsoft had offered up a user interface that made it easy for end users to register for multifactor authentication (a secondary ID verification process) and the self-service password reset capability, where end users have the power to reset their passwords. However, some organizations had wanted the ability to impose conditional access policies to ensure that attackers weren't having such access rights, too.

Now, with the new conditional access capabilities available at preview, organizations can impose policies on the end user experience. Microsoft's announcement offered the following examples of policy changes that can be imposed:

  • Users are on a trusted network.
  • Only users with a low sign-in risk can register security information.
  • Users can only register on a managed device.
  • Users should agree to a terms of use during registration.

The new conditional access capability currently is at the "public preview" stage. When commercially released, it'll be available as part of Microsoft's Azure AD Premium P1 subscriptions.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.