Tip #206: Change the password expiration policy on Office365/CRM Online

Arghhhh – AGAIN?

If your company uses Office365 (Exchange Online), I am sure you’ve had reactions like the one above several times in your life. Every 90 days actually.

90 days is the default Password Expiration Policy for Office365 (shorter than the 42 days of Active Directory) and this affects CRM Online.

I get this question all the time: “Is there any way we can extend the expiration time for CRM Online?

Absolutely!

I’ve been a Certified Ethical Hacker since 2005 (It’s a real thing, look it up :)), and I can tell you that these expiration settings offer very little protection, in my opinion. Most “password attacks” are based on Social Engineering, and most people (including “IT Experts”) rotate the same 2 or 3 passwords every time they are asked to change it. I bet you do too. We all do.

These Password Expiration policies were created based on time estimates of how long it would take for a super computer to decode the hash (unicodePwd in Active Directory) and get everyone’s password. So the idea is that by requiring people to change their password every 6 weeks they won’t get any good passwords if they are able to decrypt the hash. Some companies even apply “password history” policies where you are unable to use any of your last 15 passwords or something along those lines to “increase security”. Most people just end up increasing a number within their password by one and calling it a day.

So, nowadays it seems that more and more organizations are agreeing with my thoughts on this subject and requesting an increase on the expiration policy.

After you make sure that your organization supports the change, follow these steps to increase the expiration policy in Office365:

1. Open the Office365 Admin Portal (https://portal.office.com):

1

2. Navigate to the Active Users Tab, and then click on “Change now” on “Change the password expiration policy for your users”:

2

 

3. Type the number of days before the password should expire. Choose a number of days from 14 to 730. Click Save.

3

 

Your new password expiration policy has been set!

What do you think about this tip?

Do you have any comments on the “Accepted wisdom” of password expiration policies?

Drop us a line here – we would love to hear your feedback!

One thought on “Tip #206: Change the password expiration policy on Office365/CRM Online

  1. RajYRaman says:
    August 25, 2014 at 12:56 am

    For O365 accounts that are used for integration with other systems, I set the password to never expire. The only way (AFAIK) to never expire a password, is through Powershell. I posted about this sometime back http://nycrmdev.blogspot.com.au/2014/07/setting-office365-user-account-to-never.html

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *