The contents of this instruction:

• • Password requirements AD
  • Password Locking Policies for Entra ID logins
  • Password Locking Policies for AD/LDAP logins

---

Password requirements AD

1. The password must be at least 12 characters long.
   • It must not contain any part of the username or the user’s name.
   • It must include characters from at least three of the following categories:
     • • Uppercase letters
       • Lowercase letters
       • Numbers
       • Special characters
2. The password expiration period is 365 days.
3. The system remembers the last 5 passwords, and the new password cannot be the same as any of them.
4. The minimum password age is 0 days.

---

Password Locking Policies for Entra ID logins

Locking Policy

1. The ID locks after 10 incorrect passwords.
   • Entering the same invalid password sequentially does not increase the counter.
   • The user’s known login locations and the user’s new login locations have their own counter.
2. The account is locked for 600 seconds and then opens automatically.
3. If, after opening, the next login attempt is with the wrong password, the account will be immediately locked again.
4. Repeated lockdowns increase the time of lockdown.

In addition to these rules, Microsoft’s Identity Protection feature is also used to identify anonymous IP addresses, password spray attacks, and known ID and password pair leaks from logins. Based on these, Identity Protection increases the risk level of a user or login.

Risk level of logins

If the risk level of login is marked as high for Identity Protection, a two-step authentication is always required.

---

Password Locking Policies for AD/LDAP logins

1. The ID locks after 20 incorrect logins.
2. The account is locked for 600 seconds and then opens automatically.
3. False attempts counter resets after 10 minutes.

« Back