Skip to content

Commit 5a2520b

Browse files
committed
removed html
1 parent 98611df commit 5a2520b

File tree

1 file changed

+17
-15
lines changed

1 file changed

+17
-15
lines changed

articles/active-directory/authentication/concept-sspr-policy.md

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: authentication
88
ms.topic: conceptual
9-
ms.date: 11/25/2023
9+
ms.date: 01/25/2023
1010

1111
ms.author: justinha
1212
author: justinha
@@ -24,19 +24,19 @@ When self-service password reset (SSPR) is used to change or reset a password in
2424

2525
This article describes the password policy settings and complexity requirements associated with user accounts in your Azure AD tenant, and how you can use PowerShell to check or set password expiration settings.
2626

27-
## <a name="userprincipalname-policies-that-apply-to-all-user-accounts"></a>Username policies
27+
## Username policies
2828

2929
Every account that signs in to Azure AD must have a unique user principal name (UPN) attribute value associated with their account. In hybrid environments with an on-premises Active Directory Domain Services (AD DS) environment synchronized to Azure AD using Azure AD Connect, by default the Azure AD UPN is set to the on-prem UPN.
3030

3131
The following table outlines the username policies that apply to both on-premises AD DS accounts that are synchronized to Azure AD, and for cloud-only user accounts created directly in Azure AD:
3232

3333
| Property | UserPrincipalName requirements |
3434
| --- | --- |
35-
| Characters allowed |<ul> <li>A – Z</li> <li>a - z</li><li>0 – 9</li> <li> ' \. - \_ ! \# ^ \~</li></ul> |
36-
| Characters not allowed |<ul> <li>Any "\@\" character that's not separating the username from the domain.</li> <li>Can't contain a period character "." immediately preceding the "\@\" symbol</li></ul> |
37-
| Length constraints |<ul> <li>The total length must not exceed 113 characters</li><li>There can be up to 64 characters before the "\@\" symbol</li><li>There can be up to 48 characters after the "\@\" symbol</li></ul> |
35+
| Characters allowed |A – Z<br>a - z<br>0 – 9<br>' \. - \_ ! \# ^ \~ |
36+
| Characters not allowed |Any "\@\" character that's not separating the username from the domain.<br>Can't contain a period character "." immediately preceding the "\@\" symbol |
37+
| Length constraints |The total length must not exceed 113 characters<br>There can be up to 64 characters before the "\@\" symbol<br>There can be up to 48 characters after the "\@\" symbol |
3838

39-
## <a name="password-policies-that-only-apply-to-cloud-user-accounts"></a>Azure AD password policies
39+
## Azure AD password policies
4040

4141
A password policy is applied to all user accounts that are created and managed directly in Azure AD. Some of these password policy settings can't be modified, though you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md) or account lockout parameters.
4242

@@ -48,11 +48,11 @@ The following Azure AD password policy options are defined. Unless noted, you ca
4848

4949
| Property | Requirements |
5050
| --- | --- |
51-
| Characters allowed |<ul><li>A – Z</li><li>a - z</li><li>0 – 9</li> <li>@ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ' , . ? / \` ~ " ( ) ; < ></li> <li>blank space</li></ul> |
52-
| Characters not allowed | Unicode characters. |
53-
| Password restrictions |<ul><li>A minimum of 8 characters and a maximum of 256 characters.</li><li>Requires three out of four of the following:<ul><li>Lowercase characters.</li><li>Uppercase characters.</li><li>Numbers (0-9).</li><li>Symbols (see the previous password restrictions).</li></ul></li></ul> |
54-
| Password expiry duration (Maximum password age) |<ul><li>Default value: **90** days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with [Get-MsolPasswordPolicy](/powershell/module/msonline/get-msolpasswordpolicy).</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.</li></ul> |
55-
| Password expiry (Let passwords never expire) |<ul><li>Default value: **false** (indicates that passwords have an expiration date).</li><li>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet.</li></ul> |
51+
| Characters allowed |A – Z<br>a - z<br>0 – 9<br>@ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ' , . ? / \` ~ " ( ) ; < ><br>Blank space |
52+
| Characters not allowed | Unicode characters |
53+
| Password restrictions |A minimum of 8 characters and a maximum of 256 characters.<br>Requires three out of four of the following:<br>- Lowercase characters<br>- Uppercase characters<br>- Numbers (0-9)<br>- Symbols (see the previous password restrictions) |
54+
| Password expiry duration (Maximum password age) |Default value: **90** days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with [Get-MsolPasswordPolicy](/powershell/module/msonline/get-msolpasswordpolicy).<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.|
55+
| Password expiry (Let passwords never expire) |Default value: **false** (indicates that passwords have an expiration date).<br>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet. |
5656
| Password change history | The last password *can't* be used again when the user changes a password. |
5757
| Password reset history | The last password *can* be used again when the user resets a forgotten password. |
5858

@@ -102,11 +102,13 @@ You can disable the use of SSPR for administrator accounts using the [Set-MsolCo
102102

103103
A one-gate policy requires one piece of authentication data, such as an email address or phone number. A one-gate policy applies in the following circumstances:
104104

105-
* It's within the first 30 days of a trial subscription; or
106-
* A custom domain hasn't been configured for your Azure AD tenant so is using the default **.onmicrosoft.com*. The default **.onmicrosoft.com* domain isn't recommended for production use; and
107-
* Azure AD Connect isn't synchronizing identities
105+
- It's within the first 30 days of a trial subscription
108106

109-
## <a name="set-password-expiration-policies-in-azure-ad"></a>Password expiration policies
107+
-Or-
108+
109+
- A custom domain isn't configured (the tenant is using the default **.onmicrosoft.com*, which isn't recommended for production use) and Azure AD Connect isn't synchronizing identities.
110+
111+
## Password expiration policies
110112

111113
A *global administrator* or *user administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
112114

0 commit comments

Comments
 (0)