cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4554305f3a51ae0213d56bea2e52aaeab72d7749
policies/Security/password_policy_m365_ad.md
Tomas Kracmar 4554305f3a First batch
2025-09-30 11:30:46 +02:00

4.5 KiB
Raw Blame History

Password & Authenticator Policy (M365 + AD)

Document owner: [Owner/Role]
Approved by: [Steering Committee / CISO]
Effective date: [YYYY-MM-DD]
Review cadence: [Annually]

1) Purpose & Scope

This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s Microsoft 365, Active Directory (AD), and integrated systems. It applies to all employees, contractors, vendors, and service accounts.

2) Policy Statements

2.1 Password Length

  • Passwords must be at least 15 characters when used as a single factor of authentication.
  • Passwords must be at least 8 characters when used in combination with MFA.
  • Systems must allow passwords up to 64 characters and should support spaces, ASCII, and Unicode characters.

2.2 Complexity

  • Passwords must not be subject to complexity rules requiring upper/lowercase, numbers, or symbols.
  • Passwords shall be screened against a blocklist of weak, common, and compromised passwords using Azure AD Password Protection.

2.3 Expiration

  • Passwords shall not expire on a scheduled basis.
  • Passwords must be changed immediately upon indication or suspicion of compromise.

2.4 Usability

  • Systems must permit copy/paste from password managers.
  • Systems must provide a “show password” option.
  • Password hints and security questions must not be used.

2.5 Multi-Factor Authentication (MFA)

  • MFA must be enforced for:
    • Microsoft 365 services
    • VPN/remote access
    • Privileged AD accounts
    • Administrative access to SaaS and production systems
  • MFA should use phishing-resistant methods (e.g., FIDO2, Microsoft Authenticator).
  • SMS/voice shall only be used as fallback methods.

2.6 Account Lockout

  • Failed logins must be throttled using Azure AD Smart Lockout.
  • Accounts shall not be permanently locked out due to failed attempts; instead, time-based delays must be applied.

2.7 Storage & Transmission

  • Passwords must only be transmitted over encrypted channels (TLS 1.2+).
  • AD and M365 must store passwords as salted and hashed verifiers.
  • NTLMv1 and LAN Manager (LM) hashes must be disabled.
  • Custom applications must use Argon2id, bcrypt, or PBKDF2 for password storage.

2.8 Resets & Recovery

  • Password resets must require MFA verification (via Azure AD SSPR).
  • Knowledge-based authentication (KBA/security questions) must not be used.
  • After compromise, passwords must be reset and tokens revoked.

2.9 Administrative Accounts

  • Administrative accounts must be separate from daily-use accounts.
  • All administrative accounts must be protected with MFA.
  • Administrative access must be provisioned through Privileged Identity Management (PIM) with just-in-time elevation.
  • Shared administrative passwords must not be used. Break-glass accounts must be vaulted, monitored, and protected with MFA.

2.10 Service & Machine Accounts

  • Service accounts must use Managed Service Accounts (MSA/gMSA) or Managed Identities where available.
  • Service account passwords must be at least 30 characters, randomly generated, and stored securely (e. g. in Azure Key Vault).
  • Service accounts must not allow interactive login.
  • Secrets must be rotated regularly through automated processes.

2.11 Dormant Accounts

  • User accounts inactive for 45 days must be disabled.
  • Quarterly reviews of all accounts must be conducted by IT.

2.12 Application Integration

Applications authenticating against AD or Entra ID:

  • Must support password length requirements and blocklist enforcement.
  • Must allow paste/autofill and must not truncate passwords.
  • Must store verifiers using modern password hashing methods if not federated.

3) Enforcement

  • Violations of this policy may result in disciplinary action, up to and including termination of access or employment.
  • System owners must remediate applications not compliant with this policy or document exceptions approved by the CISO.

4) Exceptions

  • Exceptions must be documented, include compensating controls, and have CISO approval.
  • Exceptions must have a review date not exceeding 12 months.

5) References

  • NIST SP 800-63B, Digital Identity Guidelines (2023 update)
  • CIS Controls v8.1, Controls 5 & 6
  • Microsoft Security Baselines (M365 & Windows/AD)
  • OWASP Authentication Cheat Sheet