V-270239

Discussion

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.

Check Content

Verify the Entra ID password expiration time period has been changed to 60 days.

Interview the site Entra ID system administrator and verify the script shown in the Fix has been run.

If the Entra ID password expiration time period is not 60 days or less, this is a finding.

Note: It is not possible to view the current value for the password expiration time (the Entra ID default is 90). An administrator can check the maximum password age of their Entra ID tenant by using the Graph PowerShell SDK module and the "Get-MgDomain" command by using the script located here: 
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomain?view=graph-powershell-1.0

Note: For any PowerShell scripts that are Graph, note that Graph endpoints differ depending on where the tenant is located.
- For commercial tenants, graph endpoints are graph.microsoft.com.
- For GCC High tenants (IL4), graph endpoints are graph.microsoft.us.
- For DOD tenants (IL5), graph endpoints are dod-graph.microsoft.us.