Manage Microsoft 365 user account passwords
This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.
You can manage Microsoft 365 user account passwords in several different ways, depending on your identity configuration. You can manage user accounts in the Microsoft 365 admin center, in Active Directory Domain Services (AD DS), or in the Azure Active Directory (Azure AD) admin center.
Plan for where and how you will manage your user account passwords
Where and how you can manage your user accounts depends on the identity model you want to use for your Microsoft 365. The two models are cloud-only and hybrid.
You manage user account passwords in:
- The Microsoft 365 admin center
- The Azure AD admin center
With hybrid identity, passwords are stored in AD DS so you must use on-premises AD DS tools to manage user account passwords. Even when using Password Hash Synchronization (PHS), in which Azure AD stores a hashed version of the already hashed version in AD DS, you and users must manage their passwords in AD DS.
With password writeback, your users can change their AD DS passwords through Azure AD.
Prevent bad passwords
All your users should be using Microsoft's password guidance to create their user account passwords.
To prevent users from creating an easily-determined password, use Azure AD password protection, which uses both a global banned password list and an optional custom banned password list that you specify. For example, you can specify terms that are specific to your organization, such as:
- Brand names
- Product names
- Locations (for example, such as company headquarters)
- Company-specific internal terms
- Abbreviations that have specific company meaning
Simplify user sign-in
Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) works with PHS and Pass-Through Authentication (PTA), to allow your users to sign in to services that use Azure AD user accounts without having to type in their passwords, and in many cases, their usernames. This gives your users easier access to cloud-based applications, such as Office 365, without needing any additional on-premises components such as identity federation servers.
You configure Azure AD Seamless SSO with the Azure AD Connect tool. See the instructions to configure Azure AD Seamless SSO.
Simplify password updates to AD DS
With password writeback, you can allow users to reset their passwords through Azure AD, which is then replicated to AD DS. Users don’t need to access their on-premises AD DS to update their passwords. This is valuable to roaming or remote users who do not have a remote access connection to the on-premises network.
Password writeback is required to fully utilize Azure AD Identity Protection capabilities, such as requiring users to change their on-premises passwords when there has been a high risk of account compromise detected.
For additional information and configuration instructions, see Azure AD SSPR with password writeback.
Upgrade to the latest version of Azure AD Connect to ensure the best possible experience and new features as they are released. For more information, see Custom installation of Azure AD Connect.
Simplify password resets
Self-service password reset (SSPR) allows users to reset or unlock their passwords or accounts. To alert you to misuse or abuse, you can use the detailed reporting that tracks when users access the system, along with notifications. You must enable password writeback before you can deploy password resets.