This post gives actionable, Azure AD–specific implementation guidance for meeting NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control IA.L2-3.5.7 (password complexity and character-change requirements), including cloud-only and hybrid environments, PowerShell examples, small-business scenarios, and practical compliance tips.
Overview and alignment with Compliance Framework
IA.L2-3.5.7 requires that passwords meet complexity and character-change requirements to reduce the risk of unauthorized access to Controlled Unclassified Information (CUI). In Azure-centric environments you implement this requirement by combining Azure AD Password Protection (cloud and on-prem enforcement), domain password policies for hybrid/on-prem Active Directory, and operational controls such as forced initial-change, password age rules, auditing, and complementary MFA/passwordless strategies.
Practical implementation steps (high level)
At a minimum, implement the following steps: 1) enable Azure AD Password Protection and add a custom banned password list, 2) for hybrid or on-prem AD enforce domain password policy (length, complexity, history, age) via Group Policy or PowerShell, 3) configure password change workflows (force change at next sign-in for new or admin-reset passwords and enforce expiration or lifecycle rules appropriate to your risk tolerance), and 4) log and monitor password-related events and use MFA as a compensating control.
Enable Azure AD Password Protection and custom banned lists
In Microsoft Entra (Azure AD) enable Password Protection: go to Azure Active Directory (Microsoft Entra) > Security > Authentication methods > Password protection. Turn on enforcement, set lockout threshold/duration as appropriate (e.g., threshold 5 attempts, lockout 15 minutes), and populate a custom banned password list with organization-specific terms (company name, product names, common weak patterns). For hybrid environments also deploy the Azure AD Password Protection DC agent to domain controllers and set enforcement to "Enforce" so weak or common passwords are blocked at change time on-premises.
Enforce domain password policy for hybrid/on-prem AD (PowerShell example)
For organizations with Active Directory domains, enforce minimum length, complexity, password history and aging via the default domain policy or a Group Policy Object. Example PowerShell (run on a domain controller with the ActiveDirectory module): Set-ADDefaultDomainPasswordPolicy -Identity "domain.local" -MinPasswordLength 14 -PasswordHistoryCount 10 -ComplexityEnabled $true -MaxPasswordAge (New-TimeSpan -Days 90). This enforces a 14-character minimum, password history of 10, complexity on, and a 90-day max age—values you can tune based on your risk assessment.
Cloud-only Azure AD considerations and options
Azure AD cloud-only tenants have built-in complexity enforcement (minimum length and complexity rules baked into the service) and you should augment this with Password Protection (custom banned list and lockout settings) as noted above. If you need stricter configurable complexity fields (e.g., enforce length >8 in the service), options are: use Azure AD Domain Services (AAD DS) which exposes AD-like GPO password settings, deploy a hybrid AD for policy control, or implement automated lifecycle enforcement using Microsoft Graph/PowerShell to detect and force changes for accounts that do not meet your policy. For forcing a user to change a password next sign-in, use Set-MsolUserPassword -UserPrincipalName "bob@contoso.com" -NewPassword "TempP@ssw0rd!" -ForceChangePassword $true (MSOnline module) or the equivalent Microsoft Graph API call.
Real-world small-business scenario
Scenario: a 50-person small business uses Azure AD with Azure AD Connect (hybrid). Implementation path: (1) deploy Azure AD Password Protection and configure a custom banned password list with company terms and simple patterns; (2) on-prem, set domain password policy via Group Policy or the Set-ADDefaultDomainPasswordPolicy command to require 12–14 characters, complexity enabled, history 10, max age 90 days; (3) configure automation (PowerShell scheduled run or Graph-based script) that queries last password set and forces a password reset via Set-MsolUserPassword if the age exceeds the company limit; (4) roll out user training and an MFA requirement for all remote access. Implementation can be completed in 1–2 weeks for a small shop—start with Password Protection (cloud) immediately and then schedule domain policy changes during a maintenance window.
Compliance tips, best practices and technical details
Recommended technical parameters (adjust for risk): minimum length 12–14 characters, require complexity or encourage passphrases, password history count >= 10, maximum password age 60–180 days (90 is common for conservative compliance), lockout threshold 5, lockout duration 15 minutes. Use Azure AD Password Protection's custom banned list to block context-specific weak passwords. Log password change and reset events to Azure AD Sign-in logs and enable diagnostic settings to send logs to Sentinel or an SIEM for alerting on unusual reset patterns. Use passwordless and FIDO2 for privileged accounts where possible; require MFA for all admins and remote users. Maintain documented procedures for password resets and privileged account onboarding.
Risk of not implementing IA.L2-3.5.7
Failing to implement adequate complexity and change controls increases the risk of credential stuffing, brute force, and targeted guessing attacks that can lead to account compromise, lateral movement, and exfiltration of CUI. Non-compliance can also cause audit failures, loss of contracts, and regulatory penalties. In practical terms, weak password controls often represent the single largest attack surface in small organizations—mitigations like Azure AD Password Protection plus MFA materially reduce that risk.
Summary: to meet IA.L2-3.5.7 in Azure environments, enable Azure AD Password Protection and custom banned lists, enforce domain password policies for hybrid/on-prem AD (PowerShell/GPO), implement password change workflows (force-change and lifecycle enforcement), monitor and log password events, and use MFA/passwordless as compensating controls. Start with Password Protection immediately, document your policy settings, and operationalize periodic review and monitoring to maintain compliance with the Compliance Framework.
