cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
policies/Security/password_policy_m365_ad.md
Tomas Kracmar 4554305f3a First batch
2025-09-30 11:30:46 +02:00

100 lines
4.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Password & Authenticator Policy (M365 + AD)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s Microsoft 365, Active Directory (AD), and integrated systems. It applies to all employees, contractors, vendors, and service accounts.
---
## 2) Policy Statements
### 2.1 Password Length
- Passwords **must** be at least **15 characters** when used as a single factor of authentication.
- Passwords **must** be at least **8 characters** when used in combination with MFA.
- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters.
### 2.2 Complexity
- Passwords **must not** be subject to complexity rules requiring upper/lowercase, numbers, or symbols.
- Passwords **shall** be screened against a blocklist of weak, common, and compromised passwords using **Azure AD Password Protection**.
### 2.3 Expiration
- Passwords **shall not** expire on a scheduled basis.
- Passwords **must** be changed immediately upon indication or suspicion of compromise.
### 2.4 Usability
- Systems **must** permit copy/paste from password managers.
- Systems **must** provide a “show password” option.
- Password hints and security questions **must not** be used.
### 2.5 Multi-Factor Authentication (MFA)
- MFA **must** be enforced for:
- Microsoft 365 services
- VPN/remote access
- Privileged AD accounts
- Administrative access to SaaS and production systems
- MFA **should** use phishing-resistant methods (e.g., FIDO2, Microsoft Authenticator).
- SMS/voice **shall** only be used as fallback methods.
### 2.6 Account Lockout
- Failed logins **must** be throttled using **Azure AD Smart Lockout**.
- Accounts **shall not** be permanently locked out due to failed attempts; instead, time-based delays must be applied.
### 2.7 Storage & Transmission
- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+).
- AD and M365 **must** store passwords as salted and hashed verifiers.
- NTLMv1 and LAN Manager (LM) hashes **must** be disabled.
- Custom applications **must** use Argon2id, bcrypt, or PBKDF2 for password storage.
### 2.8 Resets & Recovery
- Password resets **must** require MFA verification (via Azure AD SSPR).
- Knowledge-based authentication (KBA/security questions) **must not** be used.
- After compromise, passwords **must** be reset and tokens revoked.
### 2.9 Administrative Accounts
- Administrative accounts **must** be separate from daily-use accounts.
- All administrative accounts **must** be protected with MFA.
- Administrative access **must** be provisioned through **Privileged Identity Management (PIM)** with just-in-time elevation.
- Shared administrative passwords **must not** be used. Break-glass accounts **must** be vaulted, monitored, and protected with MFA.
### 2.10 Service & Machine Accounts
- Service accounts **must** use Managed Service Accounts (MSA/gMSA) or Managed Identities where available.
- Service account passwords **must** be at least **30 characters**, randomly generated, and stored securely (e. g. in **Azure Key Vault**).
- Service accounts **must not** allow interactive login.
- Secrets **must** be rotated regularly through automated processes.
### 2.11 Dormant Accounts
- User accounts inactive for **45 days** **must** be disabled.
- Quarterly reviews of all accounts **must** be conducted by IT.
### 2.12 Application Integration
Applications authenticating against AD or Entra ID:
- **Must** support password length requirements and blocklist enforcement.
- **Must** allow paste/autofill and must not truncate passwords.
- **Must** store verifiers using modern password hashing methods if not federated.
---
## 3) Enforcement
- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment.
- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO.
---
## 4) Exceptions
- Exceptions **must** be documented, include compensating controls, and have CISO approval.
- Exceptions **must** have a review date not exceeding 12 months.
---
## 5) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1, Controls 5 & 6**
- **Microsoft Security Baselines (M365 & Windows/AD)**
- **OWASP Authentication Cheat Sheet**
Reference in New Issue View Git Blame Copy Permalink