Set the password expiration policy for your organization

This article is for people who set password expiration policy for a business, school, or nonprofit.

If you're a user, you don't have the permissions to set your password to never expire. Ask your work or school technical support to do the steps in this article for you.

As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. By default, passwords are set to never expire.

Important

Only Office 365 global admins can perform these steps.

  1. Go to the Go to the Office 365 admin center.

  2. In the Office 365 admin center, go to Settings > Security and privacy. If you aren't an Office 365 global admin, you won't see the Security and privacy option.
    Navigate to Security and Privacy

  3. Click Edit.
    Choose Edit

  4. If you don't want users to have to change passwords, set Passwords never expire to On.
    Set to On

  5. If you want user passwords to expire, in the first box type how often passwords should expire. Choose a number of days from 14 to 730.
    Enter how often passwords should expire

  6. In the second box type when users are notified that their password will expire, and then click Save. Choose a number of days from 1 to 30.

  7. When the user's password expires, they'll get a notification that appears in the lower right corner of their screen.
    Notification the user sees

Important things you need to know about the password expiration feature

Here are some things to know about how this feature currently works as of January 2018:

  • Bug: We're currently investigating a bug that's preventing this feature from working consistently. Your users may not get a notification before their password expires. This means when they sign in to Office 365 and their password has expired, they'll be prompted to change their password at that time without any advance notice.

  • People who only use the Outlook app won't be forced to reset their Office 365 password until it expires in the cache. This can be several days after the actual expiration date. There's no workaround for this at the admin level.

  • Users do not get an email notification that their password is going to expire in X number of days. Do you want this feature? Vote here!

Prevent last password from being used again

If you want to prevent your users from recycling old passwords, you can do so in Azure AD. See Password policies and restrictions in Azure Active Directory.

Synchronize user passwords hashes from an on-premises Active Directory to Azure AD (Office 365)

This article is for setting the expiration policy for cloud-only users (Azure AD). It doesn't apply to hybrid identity users who use password hash sync, pass-through authentication or on-premises federation like ADFS.

To learn how to synchronize user password hashes from on premises AD to Azure AD, see Implement password hash synchronization with Azure AD Connect sync.