Microsoft Azure AD Active Directory collage from official

Microsoft wants to increase account security for customers using its Azure Active Directory (Azure AD) service. The company has decided to remove the 16-character limit it previously imposed on cloud user accounts.

Customers can now configure a password with much more flexibility. Microsoft has increased the Azure AD password character limit to 256 characters, a significant increase.

The company says account holders will still be required to form their password from a mix of lowercase, uppercase, symbols, spaces, and numbers. Microsoft has detailed its requirements for passwords on this policy documentation page.

“Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD. While our on-premises Windows AD allows longer passwords and passphrases, we previously didn’t have support for this for cloud user accounts in Azure AD.”

This change is only for Azure AD users and is not implemented for personal Microsoft accounts (MSA). We guess the company will be looking at making this a consistent change across all services eventually.

Changing Passwords

For general Microsoft accounts, two-factor authentication is still the way to go. Just last month, Microsoft removed mandatory password updates for organizations. The company admitted the system was not as secure as it once was.

“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value,” says Aaron Margosis, a Microsoft principal consultant.

Under the new terms, customers will be able to select a date when their password expires, or indeed choose not to have an expiry date.