This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Get Weak Password Users Report in Azure AD

Allowing your Microsoft 365 users to sign in using weak passwords will pose a significant risk to your organization's data. These easily guessable passwords are susceptible to brute-force attacks and can easily be compromised by cyber intruders. Regularly monitoring users with weak passwords and enforcing strong password policies are essential for security. Get insights into weak passwords to enhance your security posture.

Native Solution

Microsoft 365 Permission Required


Global Admin, Security Admin, Password Admin, Global Reader or Security Reader

Option 1 Using Microsoft Entra Admin Center

  • Sign in to the Microsoft Entra admin center.
  • Go to the 'All users' tab under Identity»Users.
  • Select the desired user and click on the 'Properties' tab.
  • Here, you can see whether the desired users have weak password allowed or not by checking the 'DisableStrongPassword' in Password policies. The presence of 'DisableStrongPassword' here indicates that the user has a weak password.
Using Microsoft Entra Admin Center

Option 2 Using Windows PowerShell

  • Use the following commands to identify users allowed with weak passwords.
  • Windows PowerShell Windows PowerShell
  • Windows PowerShell Windows PowerShell
     Get-MsolUser | Where-Object { $_.StrongPasswordRequired -eq $false }
Using Windows PowerShell
AdminDroid Solution
More than 150 reports are under free edition.FREE

AdminDroid Permission Required

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

  • Login to the AdminDroid Office 365 reporter.
  • Navigate to the Users with Weak Password Allowed report under Reports»Security»Password Reports.
Using AdminDroid

You can review Microsoft 365 users with weak passwords, including their sign-in status, usage location, department, and more.

  • Seamlessly gain insights into users with weak passwords and their sign-in status through AdminDroid's AI-powered charts.

Get the list of users with weak passwords on Microsoft 365 in a single view!

Elevate your Microsoft 365 password monitoring to new heights by taking an in-depth dive into AdminDroid's Azure AD password reports

Witness the report in action using the

Azure ADIdentify Microsoft 365 Users with Weak Password Allowed to Strengthen Password Security

Showing 1 of 5

What are the Microsoft 365 password complexity requirements?

By default, Entra ID enforces password complexity to enhance security. Users must include a combination of character types in their passwords based on the Office 365 password complexity settings. Below are the character restrictions allowed in Microsoft 365.

Character Restrictions:

  • Uppercase letters (A-Z)
  • Lowercase letters (a-z)
  • Numbers (0-9)
  • Symbols (e.g., !@#$%^&*)

Password Length

Ensure passwords are between 8 and 256 characters long. (Recent update: maximum length extended from 16 to 256 characters)

Password reset history

Users can reuse their last password when resetting a forgotten password.

Password Complexity Requirements

Ensure passwords contain at least three of the following: lowercase characters, uppercase characters, numbers (0-9), and symbols.

Password Expiry Duration

Microsoft 365 default password policy for the password expiry has been set to 90 days (about 3 months) which is a global setting applicable to entire organization.

Password Expiry Notification

Default notification will be sent 14 days before password expiry. The specific combination of character types and minimum password complexity requirements for Office 365 depend on how detailed your organization's policy settings are configured.

Why is it important to use a strong password policy in Microsoft 365?

Using a strong password policy in Microsoft 365 is crucial in avoiding risky sign-ins and protecting sensitive data. It strengthens overall security, mitigating the risk of cyber threats and data breaches.

However, disabling password complexity requirements in Microsoft 365 can have significant security implications:

  • Increased Vulnerability to Password Guessing: Without complex requirements, users may choose simple and easily guessable passwords, increasing susceptibility to password spray attacks. This makes it easier for attackers to compromise accounts and gain illicit access through automated login attempts.
  • Higher Risk of Credential Theft: Weak passwords are more susceptible to credential theft techniques such as phishing, where attackers trick users into disclosing their login credentials. Once obtained, these credentials can be used to compromise confidential data and resources.
  • Compromised User Accounts: Accounts with weak passwords are easier targets for attackers, putting sensitive information, documents, and internal systems at risk. This vulnerability increases the chances of unauthorized access, leading to potential data breaches, financial losses, and harm to the organization's reputation.

Overall, disabling password complexity in Microsoft 365 weakens security and raises the risk of cyberattacks and data breaches. Thus, maintaining strong password policies is crucial to protect organizational assets.

What is the password strength policy for Microsoft 365?

Strong password in Microsoft 365 is crucial to protect sensitive data and prevent security breaches. Keeping your Microsoft 365 password requirements up to date further strengthens your user accounts against brute force attacks.

Understanding how to create robust passwords within M365 is key to maintain a secure environment. While the password strength policy may vary based on organizational settings, certain elements remain consistent.

  • Minimum Length: Specifies the minimum number of characters required for a password. This is often set to a value of 8 or higher by default.
  • Password Expiration: Specifies how often users must change their passwords. This can range from a few days to several months.

Set Password Expiration Setting in Microsoft 365 Admin Center

  • Login to Microsoft 365 admin center.
  • Navigate to Settings»Org settings.
  • Click Security & privacy»Password expiration policy.
  • Here, you can select the number of days under 'Days before passwords expire' to notify users regarding the password expiration.

What is password protection in Azure AD?

Microsoft Entra ID offers specialized password protection settings that can be customized to suit your organization's specific needs and preferences.

  • Navigate to Protection»Authentication methods.
  • Under this category, select the password protection.
  • Smart Account Lockout Threshold: Limits the number of failed login attempts before an account is temporarily locked out for security purposes.
  • Lockout duration in seconds: The default Microsoft 365 Password Policy for lockout duration is 60 seconds (1 minute).
  • Configure Custom Banned Passwords: Azure AD Password Protection allows you to create a list of custom banned passwords beyond the global banned password list to block custom passwords. This empowers you with overall security posture by preventing users from choosing easily guessable passwords.
  • Password protection for Windows Server Active Directory: Mitigating weak passwords within your on-premises Active Directory environment is crucial for security. Consider enabling it for better security. Also, you can set the Protection mode based on your requirement.

Initially, consider setting the mode to "Audit". This allows you to monitor password filtering behavior and identify potential issues before enforcing password complexity requirements.

It's important for organizations to customize their Microsoft Entra password protection policies based on their specific security requirements and compliance standards.

AdminDroid lets admins regularly review and update password protection policies to address evolving security threats.

  • Make sure to verify your failed logins due to account lockouts that has occurred due to multiple attempts using incorrect username and password entries.
  • In this report, you can also get to know the attempted user account, machine IP with the attempted time.

How to turn off password complexity in Office 365?

Complex passwords make it much harder for hackers to guess them. This is especially important in setups where your on-premises Active Directory rules apply to Microsoft Entra ID users too.

However, sometimes users may struggle to remember complex passwords. In such rare cases, you might consider disabling the strong password requirement in Azure AD.

Additionally, since on-premises password policies take precedence over all Azure AD policies, you can choose to disable them in your Azure AD if necessary.

You can disable the strong password requirements for all users with the following command.

Connect-MgGraph -Scopes "User.Read.All" 
Update-MgUser -UserId <UserPrincipalName> -PasswordPolicies "DisableStrongPassword"

AdminDroid Microsoft 365 Password ReportingAccurately monitor users with weak passwords for improved protection!

AdminDroid's Azure AD reporting tool offers comprehensive insights into user activities, MFA, passwords, licenses, and more. With detailed reports, admins can efficiently monitor and control user-related information in the Microsoft Entra ID portal to enhance security and compliance.

Discover a Streamlined Approach to Identify Users with Weak Password Using AdminDroid!

The Users with Weak Passwords report offers a detailed overview of Microsoft 365 users with weak passwords. This report provides essential information, including the weak password status, sign-in status, usage location, job title, etc.

A Quick Summary

Hub for Streamlined M365 Passwords Reporting

Simplify password management with our Microsoft 365 password dashboard, offering insights on password policy status, password expiry, password never changed, and more.

Enhance Security with AdminDroid's SSPR Monitoring

AdminDroid enables real-time monitoring of user (SSPR) self-service password resets to ensure swift and secure password changes.

Enhanced Visualization of Expired Password Metrics

With AdminDroid's advanced graphs and charts, visualize the daily password expired summary in your Microsoft 365 organization.

Automated MFA Reports for Weak Password Users

With scheduling capability, you can automatically get the MFA non-activated users in your inbox. This helps you to enable the MFA for users with weak passwords.

Real-Time Monitoring of User Password Changes with AdminDroid

With AdminDroid, monitor M365 user password changes in real-time and assess their strength instantly if required.

Alert on Risky Sign-ins Activity to prevent password spray attacks

Set up alerts for risky sign-ins in your tenant to find out the suspicious logins caused by the password spray attacks.

AdminDroid offers detailed reports for managing Office 365 password metrics and enforcing robust password policies. Gain real-time insights into account lockouts, login failures, and self-service password resets to detect and address potential threats promptly. Maintain continuous visibility into password-related activities will enhance your security and compliance.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps in managing Microsoft 365 weak passwords

The following are the possible errors and troubleshooting hints while dealing with Microsoft 365 weak passwords.

Error: You can’t reset your own password because the password reset isn’t properly set up for your organization.

This error occurs when users try to reset their password, when the self-service password reset is disabled in your organization.

Troubleshooting hint :You must contact your administrator to reset your password and to check your organization’s setup.

Error: The value must be between 5 and 18000 (Occurring while setting out the lockout duration in Entra ID).

The lockout duration in Azure AD password protection can be set between 5 seconds and 18000 seconds (5 hours).

Troubleshooting hint :Adjust the value to a higher number within the valid range (e.g., 30 seconds, 60 seconds).

Error: Update-MgUser : Insufficient privileges to complete the operation.

This error occurs when the user connects Graph PowerShell module without required permissions.

Troubleshooting hint :Connect the Microsoft Graph module with global admin or security admin privileges.

Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"

Error: Set-MsolUser : Access Denied. You do not have permissions to call this cmdlet.

The error indicates that the user running the PowerShell command does not have the necessary permissions to execute the operation.

Troubleshooting hint :Ensure that the user account executing the PowerShell script has the appropriate permissions assigned in Microsoft 365. This typically requires administrative privileges or specific roles assigned within the Microsoft 365 admin center.

Error: Update-MgUser: The specified user ID is invalid or does not exist.

This error occurs when the user ID provided to the Update-MgUser cmdlet is incorrect or doesn't correspond to an existing user in the Microsoft 365 environment.

Troubleshooting hint :Double-check the user ID you're using in the command and ensure that it matches the ID of an existing user. You can verify the user ID by using commands like Get-MgUser or by checking the user's details in the Microsoft 365 admin center.