Set the password expiration policy for your organization

Before you begin

This article is for people who set password expiration policy for a business, school, or nonprofit. To complete these steps, you need to sign in with your Microsoft 365 admin account. What's an admin account?.

As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. By default, passwords are set to never expire for your organization.

Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers. We recommend enabling multi-factor authentication. To learn more about password policy, check out Password policy recommendations.

You must be a global admin to perform these steps.

If you're a user, you don't have the permissions to set your password to never expire. Ask your work or school technical support to do the steps in this article for you.

Tip

If you need help with the steps in this topic, consider working with a Microsoft small business specialist. With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

Set password expiration policy

Follow the steps below if you want to set user passwords to expire after a specific amount of time.

  1. In the Microsoft 365 admin center, go to the Security & privacy tab.

    If you aren't a global admin or security admin, you won't see the Security & privacy option.

  2. Select Password expiration policy.

  3. If you don't want users to have to change passwords, uncheck the box next to Set passwords to never expire.

  4. Type how often passwords should expire. Choose a number of days from 14 to 730.

Important

Password expiration notifications are no longer supported in Office web apps or the admin center.

Important things you need to know about the password expiration feature

People who only use the Outlook app won't be forced to reset their Microsoft 365 password until it expires in the cache. This can be several days after the actual expiration date. There's no workaround for this at the admin level.

Prevent last password from being used again

If you want to prevent your users from recycling old passwords, you can do so by enforcing password history in on-premises Active Directory (AD). See Create a custom password policy.

In Azure AD, The last password can't be used again when the user changes a password. The password policy is applied to all user accounts that are created and managed directly in Azure AD. This password policy can't be modified. See Azure AD password policies.

Synchronize user passwords hashes from an on-premises Active Directory to Azure AD (Microsoft 365)

This article is for setting the expiration policy for cloud-only users (Azure AD). It doesn't apply to hybrid identity users who use password hash sync, pass-through authentication, or on-premises federation like ADFS.

To learn how to synchronize user password hashes from on premises AD to Azure AD, see Implement password hash synchronization with Azure AD Connect sync.

Password policies and account restrictions in Azure Active Directory

You can set more password policies and restrictions in Azure active directory. Check out Password policies and account restrictions in Azure Active Directory for more info.

Update password Policy

The Set-MsolPasswordPolicy cmdlet updates the password policy of a specified domain or tenant and indicates the length of time that a password remains valid before it must be changed.

To learn how to update password policy for a specific domain or tenant, see Set-MsolPasswordPolicy.

Let users reset their own passwords (article)/

Reset passwords (article)