Overview
This actionable alert is triggered when one or more Microsoft 365 user accounts have weakened password protection settings, specifically the DisableStrongPassword
flag enabled in the passwordPolicies
attribute.
This flag bypasses Microsoft's default strong password requirements, leaving the account at greater risk of brute-force or password spraying attacks, regardless of whether MFA is enabled.
Even though the user might currently use a strong password, the alert highlights that the system is not enforcing that standard, which is the core concern.
Why Does This Happen?
The DisableStrongPassword flag is a legacy setting in Microsoft Entra ID (formerly Azure AD) that allows an account to opt out of strong password enforcement. It is not enabled by default, and typically becomes active under one of the following scenarios:
Manual assignment via PowerShell
Admins sometimes set it intentionally to bypass strong password requirements for service accounts or testing purposes.API-driven provisioning or third-party sync tools
Custom automation scripts or directory sync tools may apply this setting during bulk user creation or migration processes without realizing its implications.Legacy migration from on-prem AD
In some hybrid environments, legacy accounts brought over from older domains might retain outdated or weaker password policy flags during the sync.
Why Can’t I See or Fix This in the Admin Center?
This flag does not show up in the Microsoft Entra (Azure AD) or Microsoft 365 admin portals. It's only visible and manageable via Microsoft Graph API or PowerShell.
This is exactly why it often goes unnoticed and why Liongard alerts you to it.
Why This Matters (Even with MFA)
While MFA does reduce risk, it is not a substitute for strong passwords. Accounts with the DisableStrongPassword flag:
Can use simple or reused passwords, increasing exposure to credential stuffing or password spraying.
Remain vulnerable if MFA is not enforced everywhere (e.g., legacy protocols, third-party apps).
Fail baseline security audits as they violate Microsoft's security best practices.
Steps to Resolve
You'll need to remove the DisableStrongPassword flag manually using Microsoft Graph PowerShell:
Step 1 – Install and Connect to Microsoft Graph
** You’ll be prompted to sign in. Use an account with appropriate permissions (e.g., User Administrator or Global Administrator)
** The User.ReadWrite.All
scope is required to update user properties like PasswordPolicies
.
Run these in PowerShell as Administrator:
Install-Module Microsoft.Graph.Users
Connect-MgGraph -Scopes User.ReadWrite.All
Authenticate when prompted.
Step 2 – Update Affected Users
To remove only the strong password bypass while still keeping password expiration disabled:
Update-MgUser -UserId user@domain.com -PasswordPolicies DisablePasswordExpiration
To remove all exceptions and enforce both strong passwords and expiration:
Update-MgUser -UserId user@domain.com -PasswordPolicies None
Run this per flagged user. For multiple users, consider scripting this in bulk.
*** Another option is to use a loop to apply changes in bulk, for example:
$users = @("user1@domain.com", "user2@domain.com")
foreach ($user in $users) {Update-MgUser -UserId $user -PasswordPolicies DisablePasswordExpiration}
Step 3 – Re-run Liongard's Microsoft 365 Inspector
After updating users, re-run the inspector to refresh the data. This ensures Liongard validates the change and clears the alert (if properly remediated).
How to Identify Affected Users
Liongard provides details of impacted users in the Actionable Alert. You can also create a custom metric to surface users with DisableStrongPassword
enabled, for proactive checks across environments.
Final Thoughts
The presence of DisableStrongPassword is a silent but significant security risk. Liongard flags this not based on password complexity, but on whether your environment enforces password hygiene at the policy level.
Even a strong password today can be changed tomorrow. The goal is to enforce strong passwords systemically, not hope users make the right choices.
By clearing this flag, you’re aligning with Microsoft security best practices and hardening your tenant against preventable risks.
Additional Notes
Liongard surfaces these users based on policy, not actual password strength.
This flag must be explicitly cleared for the alert to stop.
Incase if you have any question or suggestion please feel free to connect with Liongard support. We are happy to help!