Set the password expiration policy for your organization

This article is for people who set password expiration policy for a business, school, or nonprofit.

If you're a user, you don't have the permissions to set your password to never expire. Ask your work or school technical support to do the steps in this article for you.

As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire.

Tip

By default, passwords are set to never expire. Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers.

Important

Only Office 365 global admins can perform these steps.

  1. In the admin center, go to the Settings > Security and privacy page. If you aren't an Office 365 global admin, you won't see the Security and privacy option.

  2. Click Edit.
    Choose Edit

  3. If you don't want users to have to change passwords, set Passwords never expire to On.
    Set to On

  4. If you want user passwords to expire, in the first box type how often passwords should expire. Choose a number of days from 14 to 730.
    Enter how often passwords should expire

  5. In the second box type when users are notified that their password will expire, and then click Save. Choose a number of days from 1 to 30.

  6. When the user's password expires, they'll get a notification that appears in the lower right corner of their screen.
    Notification the user sees

Important things you need to know about the password expiration feature

Here are some things to know about how this feature currently works as of January 2018:

  • People who only use the Outlook app won't be forced to reset their Office 365 password until it expires in the cache. This can be several days after the actual expiration date. There's no workaround for this at the admin level.

  • Users do not get an email notification that their password is going to expire in X number of days. Do you want this feature? Vote here!

Prevent last password from being used again

If you want to prevent your users from recycling old passwords, you can do so in Azure AD. See Password policies and restrictions in Azure Active Directory.

In addition, if an employee used a mobile device to access Office 365, you can wipe it to ensure the password is no longer stored and recycled from there. To learn more, see Wipe and block a former employee's mobile device.

Synchronize user passwords hashes from an on-premises Active Directory to Azure AD (Office 365)

This article is for setting the expiration policy for cloud-only users (Azure AD). It doesn't apply to hybrid identity users who use password hash sync, pass-through authentication or on-premises federation like ADFS.

To learn how to synchronize user password hashes from on premises AD to Azure AD, see Implement password hash synchronization with Azure AD Connect sync.