Events
Microsoft 365 Community Conference
6 May, 14 - 9 May, 00
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreSet the password expiration policy for your organization
Check out all of our small business content on Small business help & learning.
This article is for people who set password expiration policy for a business, school, or nonprofit Microsoft 365 organization.
As the admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. By default, passwords are set to never expire for your organization.
Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, reuse passwords, or update old passwords in ways that are easily guessed by hackers. We recommend enabling multi-factor authentication. To learn more about password policy, check out Password policy recommendations.
You must be a user administrator to perform these steps.
Tip
If you need help with the steps in this topic, consider working with a Microsoft small business specialist. With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
Follow the steps below if you want to set user passwords to expire after a specific amount of time.
In the Microsoft 365 admin center, go to the Org Settings page.
If you aren't a security admin, you won't see this page.
In the Security and Privacy tab, on the Password expiration policy page, uncheck the box to change the password policy.
Type how often passwords should expire. Choose a number of days from 14 to 730 and select Save.
Important
Password expiration notifications are no longer supported in the Microsoft 365 admin center and Microsoft 365 productivity apps.
People who only use the Outlook app won't be forced to reset their Microsoft 365 password until it expires in the cache. This can be several days after the actual expiration date. There's no workaround for this at the admin level.
If you want to prevent your users from recycling old passwords, you can do so by enforcing password history in on-premises Active Directory (AD). See Create a custom password policy.
In Microsoft Entra ID, The last password can't be used again when the user changes a password. The password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. This password policy can't be modified. See Microsoft Entra password policies.
Password policies you choose is set for each managed domain in your organization. If you add a new domain or convert a domain from federated to managed, you need to re-enable the organization password policy to update all domains again, otherwise the new or converted domain keeps the default policy.
Synchronize user passwords hashes from an on-premises Active Directory to Microsoft Entra ID (Microsoft 365)
This article is for setting the expiration policy for cloud-only users (Microsoft Entra ID). It doesn't apply to hybrid identity users who use password hash sync, pass-through authentication, or on-premises federation like Active Directory Federation Services (ADFS).
To learn how to synchronize user password hashes from on premises AD to Microsoft Entra ID, see Implement password hash synchronization with Microsoft Entra Connect Sync.
You can set more password policies and restrictions in Microsoft Entra ID. Check out Password policies and account restrictions in Microsoft Entra ID for more info.
The Update-MgDomain cmdlet updates the password policy of a specified domain or tenant and indicates the length of time that a password remains valid before it must be changed.
To learn how to update password policy for a specific domain or tenant, see Update-MgDomain.
Let users reset their own passwords (article)
Reset passwords (article)