The National Institute of Standards and Technology (NIST) now recommends requiring a password change only when there is reason to believe it has been compromised. Forced password change encourages weak passwords and bad storing habits. This should be combined with other security measures like Multi-Factor Authentication. We also recommend that you leave the strong password setting on, as this significantly reduces the risk of a password being compromised.

You can configure one of the following options when you apply Settings:

• Apply All: Office Protect will create a password expiration policy so the user passwords do not expire.
• Remove from All Accounts: Office Protect will remove the password expiration policy, if it was not implemented in the first place, this will not remove anything.
• Do not modify (Ignore): We will not monitor nor attempt to modify the organization’s password policy setting.

You can find the setting in the Microsoft Admin Center, in the Settings/Org Settings/Security & Privacy/Password expiration policy section.

Operation to look for in the Unified Audit Logs: Set password policy.       

Microsoft’s recommendations for passwords: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide