Password Expiration Disabled

Password expiration limits the risk of a threat actor guessing or cracking a password before it is changed.

Accounts without the password expiration requirement can be used indefinitely (unless the account is deleted). As time passes, unchanged passwords become increasingly easier for threat actors to crack. Active Directory and Azure AD administrators (global administrator or user administrator) can remove or temporarily disable the requirement for users to periodically change their passwords. However, this should only be applied to emergency access accounts.

You can remediate the issue through the following methods:



Active Directory

  • Define the password expiration period in the group policy objects for all accounts.

  • Do not enable "password never expire" for all accounts in the Domain Controller.

Azure AD

Configure the password expiration policy using PowerShell.

  1. Open a PowerShell prompt and connect to your Azure AD tenant using a global administrator or user administrator account:

    Connect-AzureAD -Confirm
  2. Require password expiration by running one of the following commands:

    • Single user (You must specify the user ID of the account owner.)

      Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
    • All users in the organization

      Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None

For more information, see

Depending on your organization's unique setup, you may be unable to enforce password expiration for all accounts. You can add the issue to the exception list to exclude related risk event data from the calculation of your company's risk index.

The following table outlines the situations in which you can leverage the exception list and apply alternate solutions.



Usage of both Azure AD and Active Directory (hybrid environment)

Add the "Password expiration disabled" issue to the exception list.

Usage of third-party identity and access management (IAM) systems

  • Enable the password expiration policy in your IAM system.

  • Add the "Password expiration disabled" issue to the exception list.

Usage of group policy objects

  • Enable the password expiration policy through GPOs.

  • Add the "Password expiration disabled" issue to the exception list.

  • Adding issues to the exception list permanently excludes related risk event data from Risk Insights apps.

  • If necessary, you can eventually remove issues from the list but excluded risk event data cannot be restored.

  • Changes to the exception list are applied only to new risk events.