It's a setting in the admin.microsoft.com portal (Org settings -> Security & privacy -> Password expiration policy).
The setting, funny enough, is literally "Set passwords to never expire (recommended)".
They also link to "Learn why passwords that never expire are more secure" in the same place.
Anyone who is forcing expiry is specifically going against recommended policies (Microsoft's, NIST's, and any serious security person) for some reason or other.
Several frameworks are (finally) catching up to modern day understanding, and have either forgone the requirement for password rotation or have various exemptions if other technical measures are in place. But I agree, for those that haven't changed, it's incredibly frustrating to hamstring your own security so that you can pass a compliance or security audit.
I obviously don't know which framework you are auditing against, so can't be specific, but it may be worth double-checking the requirements rather than relying on the assessor's word (if you aren't already). It is not unheard of for assessors to be behind on their understanding of best practices (especially those who've been an assessor for a long period of time - they may be going more by habit and previous engagements instead of the most up-to-date documents).
We had to prove we have a password expiration policy for a compliance audit, showed them that MS recommends not to have passwords expire and the NIST guidance and the auditors were supper happy.