Password Rules:
  • Minimum age: 2 days
  • Maximum age: 90 days
  • Minimum length, 8 characters (changing to 12 characters)
  • Minimum complexity:
    • Requires 1 upper case letter
    • Requires 1 lower case letter
    • Requires 1 numeral
    • Requires 1 special character
  • Bad password attempts allowed:  5
  • Lockout after 5 bad attempts:  30 minutes


Discussion:

  • Users cannot change their passwords twice in a two day span per DoIT policy. 
  • If users change their password in O365 successfully without realizing it and then try to change it again before the 2 day minimum password age window, the Help Desk has to reset the password in AD or O365.
  • Passwords will synchronize between AD and O365.
  • Look out for multiple devices/apps/browsers/computers with active sessions for the user's O365 account. Those will need to be signed out (will prompt to log back in automatically with Microsoft apps) and back in after the password is changed. 
  • Tier 2 has the access to sign users out of all existing sessions from user management in O365.
  • If an employee is unable to successfully change their expired password in Office365, and has contacted ITS for assistance, please issue a temporary password reset in Active Directory and advise the customer that the password cannot be changed for 48 hours.
  • There may be a lapse of up to an hour before the password change synchronizes fully across Office365 due to existing active sessions opened on a device, app (GlobalProtect VPN, especially) or browser with the previous password cached.
  • It's best to advise the customer to wait for an hour after the AD reset before using Office365 services (e-mail, Teams, etc) again.  
  • If user O365 access is urgently time sensitive, notify Tier 2/3 about it for executing a sign-out of all O365 sessions command against the user account.

  • PaloAlto's GlobalProtect VPN checks credentials against the live domain controllers. Keep that in mind when troubleshooting customer calls with VPN troubles. The temp AD reset is highly recommended if the VPN gateway is holding old credentials and keeps repeatedly locking out the user's account.