Even Microsoft itself has gotten to the point that expired passwords decrease security, therefore I'd leave that off.
Used passwords is a two fledged sword, possibly I'd enforce those.
Strong passwords are always a good idea.
Account lockout should be set to prevent users from being brute forced
Idle timeouts are a good things until they're set too low. I'd go with 2-4 hours
Two-factor authentication is a must nowadays
If you have the chance to provide fixed login IP ranges, these are also a good idea.