Microsoft has removed the 16-character limit for passwords used for cloud user accounts in Azure Active Directory. To improve security, the company is now allowing users to configure passwords with up to 256 characters (including spaces), and this should provide the same flexibility that on-premises Windows AD accounts already enjoy.
If Microsoft now supports up to 256 character passwords for cloud-based Azure AD accounts, users will still need to choose a combination of uppercase letters, lowercase letters, symbols and numbers. You can learn more details on Microosft’s password requirements in the company’s password policy documentation.
For now, this change doesn’t apply to passwords for personal Microsoft accounts (MSA), though maybe this is something Microsoft should consider. In the meantime, we highly recommend setting up two-factor authentication on your Microsoft account, and using Microsoft’s excellent Authenticator app for all of your secure log-in needs.