| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.component | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Active Directory Domain Services: Password policy | Microsoft Docs |
Understand password policies on managed domains |
active-directory-ds |
eringreenlee |
mtillman |
curtand |
1a14637e-b3d0-4fd9-ba7a-576b8df62ff2 |
active-directory |
domain-services |
identity |
na |
na |
article |
09/17/2018 |
ergreenl |
This article explains the default password policies on a managed domain. It also covers how you can configure these policies.
Use fine-grained password policies to specify many password policies within a single domain. FGPP enables you to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply strict password settings to privileged accounts.
You can configure the following password settings using FGPP:
- Minimum password length
- Password history
- Passwords must meet complexity requirements
- Minimum password age
- Maximum password age
- Account lockout policy
- Account lockout duration
- Number of failed logon attempts allowed
- Reset failed logon attempts count after
The following screenshot illustrates the default fine grained password policy configured on an Azure AD Domain Services managed domain.
Note
You can't modify or delete the default built-in fine grained password policy. Members of the 'AAD DC Administrators' group can create custom FGPP and configure it to override (take precedence over) the default built-in FGPP.
On a managed domain, the following password policies are configured by default:
- Minimum password length (characters): 7
- Maximum password age (lifetime): 90 days
- Passwords must meet complexity requirements
On a managed domain, the following account lockout policies are configured by default:
- Account lockout duration: 30
- Number of failed logon attempts allowed: 5
- Reset failed logon attempts count after: 30 minutes
Effectively, user accounts are locked out for 30 minutes if five invalid passwords are used within 2 minutes. Accounts are automatically unlocked after 30 minutes.
You can create a custom FGPP and apply it to specific groups in your managed domain. This configuration effectively overrides the default FGPP configured for the managed domain.
Tip
Only members of the 'AAD DC Administrators' group have the permissions to create custom fine grained password policies.
Additionally, you can also create custom fine grained password policies and apply them to any custom OUs you create on the managed domain.
You can configure a custom FGPP for the following reasons:
- To set a different account lockout policy.
- To configure a default password lifetime setting for the managed domain.
To create a custom FGPP on your managed domain:
- Sign in to the Windows VM you use to administer your managed domain. If you don't have one, follow the instructions to administer a managed domain
- Launch the Active Directory Administrative Center on the VM.
- Click the domain name (for example, 'contoso100.com').
- Double-click System to open the System container.
- Double-click Password Settings Container.
- You see the default built-in FGPP for the managed domain called AADDSSTFPSO. You can't modify this built-in FGPP. You can however, create a new custom FGPP override the default FGPP.
- On the Tasks panel in the right, click New and click Password Settings.
- In the Create Password Settings dialog, specify the custom password settings to apply as part of the custom FGPP. Remember to set the precedence appropriately to override the default FGPP.
Tip
Remember to uncheck the Protect from accidental deletion option. If this option is selected, the FGPP cannot be saved.
- In Directly Applies To, click the Add button. In the Select Users or Groups dialog, click the Locations button.
- In the Locations dialog, expand the domain name and click AADDC Users. You can now select a group from the built-in users OU, to which to apply the FGPP.
- Type the name of the group and click the Check Names button to validate the group exists.
- The name of the group is displayed in Directly Applies To section. Click the OK button to save these changes.
Tip
To apply custom password policies for user accounts in a custom OU: Fine grained password policies can be applied only to groups. To configure a custom password policy only for users from a custom OU, create a group that includes users in that OU.