The contents of this instruction:

• • Password requirements AD
  • Password Locking Policies for Entra ID logins
  • Password Locking Policies for AD/LDAP logins

---

Password requirements AD

1. Password length at least 12 characters.
   • Must not contain username or display name.
   • Must contain characters from three different categories:
     • • capital letters
       • lower case
       • result
       • peculiars
2. Password expiration time 365 days.
3. Previous passwords are remembered for the previous 5, to which the password cannot be changed.
4. Minimum password time 0 days.

---

Password Locking Policies for Entra ID logins

Locking Policy

1. The ID locks after 10 incorrect passwords.
   • Entering the same invalid password sequentially does not increase the counter.
   • The user’s known login locations and the user’s new login locations have their own counter.
2. The account is locked for 600 seconds and then opens automatically.
3. If, after opening, the next login attempt is with the wrong password, the account will be immediately locked again.
4. Repeated lockdowns increase the time of lockdown.

In addition to these rules, Microsoft’s Identity Protection feature is also used to identify anonymous IP addresses, password spray attacks, and known ID and password pair leaks from logins. Based on these, Identity Protection increases the risk level of a user or login.

Risk level of logins

If the risk level of login is marked as high for Identity Protection, a two-step authentication is always required.

---

Password Locking Policies for AD/LDAP logins

1. The ID locks after 20 incorrect logins.
2. The account is locked for 600 seconds and then opens automatically.
3. False attempts counter resets after 10 minutes.

« Back