Skip to main content

Actionable Alerts | Microsoft 365 | Exposure to Account(s) With Weak Password

Actionable Alerts, Microsoft 365, Exposure to Account(s) With Weak Password, Microsoft 365 | Exposure to Account(s) With Weak Password, M365

Updated over 2 weeks ago

Overview

This actionable alert is triggered when one or more Microsoft 365 user accounts have weakened password protection settings, specifically the DisableStrongPassword flag enabled in the passwordPolicies attribute.

This flag bypasses Microsoft's default strong password requirements, leaving the account at greater risk of brute-force or password spraying attacks, regardless of whether MFA is enabled.

Even though the user might currently use a strong password, the alert highlights that the system is not enforcing that standard, which is the core concern.

Why Does This Happen?

The DisableStrongPassword flag is a legacy setting in Microsoft Entra ID (formerly Azure AD) that allows an account to opt out of strong password enforcement. It is not enabled by default, and typically becomes active under one of the following scenarios:

  1. Manual assignment via PowerShell
    Admins sometimes set it intentionally to bypass strong password requirements for service accounts or testing purposes.

  2. API-driven provisioning or third-party sync tools
    Custom automation scripts or directory sync tools may apply this setting during bulk user creation or migration processes without realizing its implications.

  3. Legacy migration from on-prem AD
    In some hybrid environments, legacy accounts brought over from older domains might retain outdated or weaker password policy flags during the sync.

Why Can’t I See or Fix This in the Admin Center?

This flag does not show up in the Microsoft Entra (Azure AD) or Microsoft 365 admin portals. It's only visible and manageable via Microsoft Graph API or PowerShell.

This is exactly why it often goes unnoticed and why Liongard alerts you to it.

Why This Matters (Even with MFA)

While MFA does reduce risk, it is not a substitute for strong passwords. Accounts with the DisableStrongPassword flag:

  • Can use simple or reused passwords, increasing exposure to credential stuffing or password spraying.

  • Remain vulnerable if MFA is not enforced everywhere (e.g., legacy protocols, third-party apps).

  • Fail baseline security audits as they violate Microsoft's security best practices.

Steps to Resolve

You'll need to remove the DisableStrongPassword flag manually using Microsoft Graph PowerShell:

Step 1 – Install and Connect to Microsoft Graph

** You’ll be prompted to sign in. Use an account with appropriate permissions (e.g., User Administrator or Global Administrator)

** The User.ReadWrite.All scope is required to update user properties like PasswordPolicies.

Run these in PowerShell as Administrator:

Install-Module Microsoft.Graph.Users

Connect-MgGraph -Scopes User.ReadWrite.All

Authenticate when prompted.

Step 2 – Update Affected Users

To remove only the strong password bypass while still keeping password expiration disabled:
Update-MgUser -UserId user@domain.com -PasswordPolicies DisablePasswordExpiration

To remove all exceptions and enforce both strong passwords and expiration:

Update-MgUser -UserId user@domain.com -PasswordPolicies None

Run this per flagged user. For multiple users, consider scripting this in bulk.

*** Another option is to use a loop to apply changes in bulk, for example:

foreach ($user in $users) {Update-MgUser -UserId $user -PasswordPolicies DisablePasswordExpiration}

Step 3 – Re-run Liongard's Microsoft 365 Inspector

After updating users, re-run the inspector to refresh the data. This ensures Liongard validates the change and clears the alert (if properly remediated).

How to Identify Affected Users

Liongard provides details of impacted users in the Actionable Alert. You can also create a custom metric to surface users with DisableStrongPassword enabled, for proactive checks across environments.

Final Thoughts

The presence of DisableStrongPassword is a silent but significant security risk. Liongard flags this not based on password complexity, but on whether your environment enforces password hygiene at the policy level.

Even a strong password today can be changed tomorrow. The goal is to enforce strong passwords systemically, not hope users make the right choices.

By clearing this flag, you’re aligning with Microsoft security best practices and hardening your tenant against preventable risks.

Additional Notes

  • Liongard surfaces these users based on policy, not actual password strength.

  • This flag must be explicitly cleared for the alert to stop.

  • Incase if you have any question or suggestion please feel free to connect with Liongard support. We are happy to help!

Did this answer your question?