I'd love to make changes to our security group policies... but apparently our major partner company says they want those dumb requirements.
I did get multifactor going at least, with regards to the user's Office logins... too many idiots following phishing sites and handing over their credentials.
Setting up MFA was a bit of a headache, but probably worth it in the long-run.
MFA is currently indicated as the best bang for your buck that you can get regarding end user (of course admin as well) account security and protection from password related attacks. Of course, not all MFA is created equal, but implementing MFA is definitely a great step.