turbot/microsoft365_compliance

Control: 1.4 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire

Description

Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all.

Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.

Remediation

To set Office 365 passwords are set to never expire:

  1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
  2. Click to expand Settings select Org Settings.
  3. Click on Security & privacy.
  4. Check the Set passwords to never expire (recommended) box.
  5. Click Save.

To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Graph PowerShell module:

  1. Connect to the Microsoft Graph service using Connect-MgGraph -Scopes "Domain.ReadWrite.All".
  2. Run the following Microsoft Graph PowerShell command:
Update-MgDomain -DomainId <Domain> -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_1_4 --share

SQL

This control uses a named query:

azuread_user_password_not_set_to_expire

Tags