About fine-grained password policies

This page explains the fine-grained password policies (FGPP) concepts and related best practices for Managed Service for Microsoft Active Directory.


You can use FGPP to define and enforce strong password settings on a specific Active Directory user or group. Note that password policies are different from the default domain password policy which is configured by a group policy and linked to the root of the domain.

FGPP is set in Password Settings Objects (PSO). Each PSO has a precedence value that indicates its priority. The lower this value, the higher the priority of that PSO. Managed Microsoft AD creates ten PSOs with default settings. You cannot change the names or precedences of these PSOs, but you can change the settings. For more information about the pre-created PSOs, see Password Settings Objects.

Policy settings

Each PSO can contain the following policy settings:

What's next