Views:

Password expiration limits the risk of a threat actor guessing or cracking a password before it is changed.

Accounts without the password expiration requirement can be used indefinitely (unless the account is deleted). As time passes, unchanged passwords become increasingly easier for threat actors to crack. Active Directory and Microsoft Entra ID administrators (global administrator or user administrator) can remove or temporarily disable the requirement for users to periodically change their passwords. However, this should only be applied to emergency access accounts.
You can remediate the issue through the following methods:
System
Steps
Active Directory
  • Define the password expiration period in the group policy objects for all accounts.
  • Do not enable "password never expire" for all accounts in the Domain Controller.
Microsoft Entra ID
Configure the password expiration policy using PowerShell.
  1. Open a PowerShell prompt and connect to your Microsoft Entra ID tenant using a global administrator or user administrator account:
    Connect-AzureAD -Confirm
  2. Require password expiration by running one of the following commands:
    • Single user (You must specify the user ID of the account owner.)
      Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
    • All users in the organization
      Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
For more information, see https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy.
Depending on your organization's unique setup, you may be unable to enforce password expiration for all accounts. You can add the issue to the exception list to exclude related risk event data from the calculation of your company's risk index.
The following table outlines the situations in which you can leverage the exception list and apply alternate solutions.
Situation
Action
Usage of both Microsoft Entra ID and Active Directory (hybrid environment)
Add the "Password expiration disabled" issue to the exception list.
Usage of third-party identity and access management (IAM) systems
  • Enable the password expiration policy in your IAM system.
  • Add the "Password expiration disabled" issue to the exception list.
Usage of group policy objects
  • Enable the password expiration policy through GPOs.
  • Add the "Password expiration disabled" issue to the exception list.
Important
Important
  • Adding issues to the exception list permanently excludes related risk event data from Risk Insights apps.
  • If necessary, you can eventually remove issues from the list but excluded risk event data cannot be restored.
  • Changes to the exception list are applied only to new risk events.