Set the Password Expiration Policy for your Organization

As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire in Office 365.

Note: If you are an end-user, you don't have the permissions to set your password to never expire. Ask your work or school technical support to perform the steps in this article for you.

  1. In the admin center, go to the Settings > Security & privacy page. If you aren't an Office 365 global admin, you won't see the Security and privacy option.

  2. Next to Password policy, select Edit.

  3. If you don't want users to have to change passwords, set Passwords never expire to On.
    Set to On

  4. If you want user passwords to expire, in the first box type how often passwords should expire. Choose a number of days from 14 to 730.
    Enter how often passwords should expire

  5. In the second box type when users are notified that their password will expire, and then select Save. Choose a number of days from 1 to 30.

  6. When the user's password expires, they'll get a notification that appears in the lower right corner of their screen.
    Notification the user sees

Important things you need to know about the password expiration feature

Here are some things to know about how this feature currently works as of January 2018:

  • People who only use the Outlook app won't be forced to reset their Office 365 password until it expires in the cache. This can be several days after the actual expiration date. There's no workaround for this at the admin level.

  • Users do not get an email notification that their password is going to expire in X number of days.

Prevent last password from being used again

If you want to prevent your users from recycling old passwords, you can do so in Azure AD.

In addition, if an employee used a mobile device to access Office 365, you can wipe it to ensure the password is no longer stored and recycled from there.

Synchronize user passwords hashes from an on-premises Active Directory to Azure AD (Office 365)

This article is for setting the expiration policy for cloud-only users (Azure AD). It doesn't apply to hybrid identity users who use password hash sync, pass-through authentication or on-premises federation like ADFS.