- For Cloud Only Accounts Microsoft has a pre-defined password policy which can't be changed. The only item you can change is how many days until a password expires and whether or not passwords expire at all.
- These options can be changed by going to the Office 365 Admin Center -> Settings -> Security & Privacy.
Password policies that only apply to cloud user accounts
The following table describes the password policy settings applied to user accounts that are created and managed in Azure AD:
|Characters not allowed||Unicode characters.|
|Password expiry duration (Maximum password age)||
|Password expiry notification (When are users notified of password expiration)||
|Password expiry (Do passwords ever expire)||
|Password change history||The last password can't be used again when the user changes a password.|
|Password reset history||The last password can be used again when the user resets a forgotten password.|
|Account lockout||After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time. Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lockout.|