Can’t say I trust you on this one, Microsoft.

See the update from the NIST in 2017 documented and discussed in this podcast by searching “expire” grc.com/sn/sn-624.htm
The overall security recommendation changed to not get passwords to expire a few years back.
But people are more likely to use weak passwords if they have to change them, and they simply cycle weak passwords.
So we’re stuck with one weak password or multiple weak passwords. I think my brain doesn’t follow how this is better.
I might follow the logic here. But it seems like oversight to allow one weak, consistent password as opposed to changing them. 🤷🏻‍♂️
expiring does nothing to increase security except frustrate users with password change requests. Better to invest in training them on a password manager and what a good password is