Password policies and restrictions in Azure Active Directory

This article describes the password policies and complexity requirements associated with user accounts stored in your Azure AD directory.

Important

Are you here because you're having problems signing in? If so, here's how you can change and reset your own password.

UserPrincipalName policies that apply to all user accounts

Every user account that needs to sign in to the Azure AD authentication system must have a unique user principal name (UPN) attribute value associated with that account. The following table outlines the polices that apply to both on-premises Active Directory-sourced user accounts (synced to the cloud) and to cloud-only user accounts.

Property UserPrincipalName requirements
Characters allowed
  • A – Z
  • a - z
  • 0 – 9
  • . - _ ! # ^ ~
Characters not allowed
  • Any '@' character that is not separating the user name from the domain.</li> <li>Cannot contain a period character '.' immediately preceding the '@' symbol
Length constraints
  • Total length must not exceed 113 characters
  • 64 characters before the ‘@’ symbol
  • 48 characters after the ‘@’ symbol

Password policies that apply only to cloud user accounts

The following table describes the available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

Property Requirements
Characters allowed
  • A – Z
  • a - z
  • 0 – 9
  • @ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ “ ( ) ;
Characters not allowed
  • Unicode characters
  • Spaces
  • Strong passwords only: Cannot contain a dot character '.' immediately preceding the '@' symbol
Password restrictions
  • 8 characters minimum and 16 characters maximum
  • Strong passwords only: Requires 3 out of 4 of the following:
    • Lowercase characters
    • Uppercase characters
    • Numbers (0-9)
    • Symbols (see password restrictions above)
Password expiry duration
  • Default value: 90 days
  • Value is configurable using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.
Password expiry notification
  • Default value: 14 days (before password expires)
  • Value is configurable using the Set-MsolPasswordPolicy cmdlet.
Password Expiry
  • Default value: false days (indicates that password expiry is enabled)
  • Value can be configured for individual user accounts using the Set-MsolUser cmdlet.
Password change history Last password cannot be used again when changing a password.
Password reset history Last password may be used again when resetting a forgotten password.
Account Lockout After 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for increasing durations.

Next steps